IDP logout customizations
liamr at umich.edu
Mon Apr 8 14:22:02 EDT 2019
> That's asking for an open redirector from the most sensitive system you
> have. How would you control what URLs were "acceptable" to land on? That's
> why the protocol is designed the way it is, and doesn't accommodate that
> sort of thing.
Doesn't the "return" parameter for the SP's local logout handler let you do
the same thing? You don't even have to have a valid session to get it to
redirect you someplace.
In our legacy solution, the redirect URL had to be in an accepted domain
(pretty much just umich.edu).
I was thinking maybe with the future solution, maybe it would allow you to
redirect if the URL matched the SP Information URL in the MDUI metadata
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users