Terminate session if user does not accept terms&conditions

Oluf Færø ofa at klintra.fo
Thu Jun 10 13:00:08 UTC 2021

The current behaviour may be an issue when a public computer is used to start a service provider initiated SAML2 login flow.

First the Shibboleth IDP prompts the user to authenticate and next the user is prompted to accept the terms and conditions.

Some users may decide to abort or pause the flow at this point. Maybe close the browser tab or otherwise forget that they need to accept the Terms-and-conditions.

Because the user has not accepted the terms yet he may think that the IDP session is not established yet. He is not aware of the session already established on  the IDP and that he is must remember to logout of the session before he leaves the computer terminal.

It would there be good if it would be possible to terminate the IDP session if the user rejects the Terms and Conditions (TermsRejected signal) and/or have a post-authentication interceptor which limits the maximum time between the reception of an authnRequest and the execution of the outbound interceptor (maybe the context-check interceptor) .

More information about the users mailing list