Terminate session if user does not accept terms&conditions

Oluf Færø ofa at klintra.fo
Thu Jun 10 15:41:52 UTC 2021

Thank you for the feedback.

So the Shibboleth IDP establishes a valid IDP session as soon as the authentication is successful. The post-authentication terms-interceptor does not modify this session state. 

Therefore in the terms-screen I think it is reasonable to present the user with two options. Either the terms are accepted or the user must log-out (HTTP GET request to /profile/Logout) to terminate the session. I do not see the reason why the IDP should maintain the IDP session if the user rejects the terms. 

What should be the reason to keep the IDP session alive if the user has rejected the terms ?

More information about the users mailing list