Shibboleth acting as open redirect
max.spicer at york.ac.uk
Thu Oct 10 07:39:00 EDT 2019
It's come to my attention that our Shibboleth installation is acting as as
open redirect via the Logout endpoint. For example,
This could be used in phishing attacks to impersonate our domain.
Is this behaviour standard, or is it a mis-configuration on our part? How
should we best mitigate this? One option might be to simply disable this
Max Spicer - Identity Systems Developer
Enterprise Systems Group, IT Services, University of York
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users