Shibboleth acting as open redirect

Max Spicer max.spicer at
Thu Oct 10 07:39:00 EDT 2019


It's come to my attention that our Shibboleth installation is acting as as
open redirect via the Logout endpoint. For example,
This could be used in phishing attacks to impersonate our domain.

Is this behaviour standard, or is it a mis-configuration on our part? How
should we best mitigate this? One option might be to simply disable this


Max Spicer
Max Spicer - Identity Systems Developer
Enterprise Systems Group, IT Services, University of York
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list