IDP logout customizations

Liam Hoekenga liamr at
Mon Apr 8 14:22:02 EDT 2019

> That's asking for an open redirector from the most sensitive system you
> have. How would you control what URLs were "acceptable" to land on? That's
> why the protocol is designed the way it is, and doesn't accommodate that
> sort of thing.

Doesn't the "return" parameter for the SP's local logout handler let you do
the same thing?  You don't even have to have a valid session to get it to
redirect you someplace.

In our legacy solution, the redirect URL had to be in an accepted domain
(pretty much just
I was thinking maybe with the future solution, maybe it would allow you to
redirect if the URL matched the SP Information URL in the MDUI metadata
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list