Possible to disable the invoking of Login/Logout handlers via browser address bar?

Cantor, Scott cantor.2 at osu.edu
Fri Aug 24 12:23:26 EDT 2012

On Aug 24, 2012, at 11:20 AM, "Andrew Webb" <andrew.webb at statpro.com> wrote:

> I think that something a bit more programmatic and a bit less user accessible
> for session initiation/termination would be a desirable feature for the SP
> vNext.  Is this something you would happily consider?

I consider any reasonable use case if a request is filed. If it's a lot of work, then it becomes a matter of interest and priority setting. If I can't understand a need sufficiently, then I'd comment back in a RFE that I need a more detailed discussion on the dev list.

But in general, request fidelity takes much more work than you suggest here. Just preventing that one vector for changing ForceAuthn doesn't fix that hole. You need signed SAML requests, the IDP to require them, SP response correlation, and enforcement at the final step. Since you have that last part now, I've found it unclear what value the rest adds.

Part of this involves a much larger feature change, blocking unsolicited SSO.

-- Scott

More information about the users mailing list