IDP logout customizations
Liam Hoekenga
liamr at umich.edu
Mon Apr 8 14:22:02 EDT 2019
>
> That's asking for an open redirector from the most sensitive system you
> have. How would you control what URLs were "acceptable" to land on? That's
> why the protocol is designed the way it is, and doesn't accommodate that
> sort of thing.
>
Doesn't the "return" parameter for the SP's local logout handler let you do
the same thing? You don't even have to have a valid session to get it to
redirect you someplace.
In our legacy solution, the redirect URL had to be in an accepted domain
(pretty much just umich.edu).
I was thinking maybe with the future solution, maybe it would allow you to
redirect if the URL matched the SP Information URL in the MDUI metadata
elements?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190408/a0d06a91/attachment.html>
More information about the users
mailing list