Disabling the return parameter in SP local logout
kwessel at illinois.edu
Tue May 16 16:04:02 EDT 2017
I've got an SP admin whose security scan of their SP is complaining that the return parameter of the SP local logout can lead to phishing. This seems rather silly to me, even though it's true. If I have SAML logout enabled but it fails (perhaps because the scanner is trying to call the logout URL when nobody's logged in), the SP obviously falls back to local logout. The scanner passes a return parameter and, of course, the user is redirected. The scanner sees that as phishing, obviously.
Is there a way to tell the SP's local logout mechanism to ignore the return parameter, displaying the local logout page even if a return param is passed?
More information about the users