CODEWITHSUNDEEP
single-sign-onsaml-2.0
David
David

Reputation: 41

SAML 2.0 - What is the best practice for Single Log Out after Service Provider session inactivity?

I'm curious what the best practice consensus is on this: For SAML 2.0 SLO, should the Service Provider's session timeout trigger Single Log Out out of the IDP account? Does the spec speak to this?

--

Illustrating the question with an example:

We'll call the service provider MyApp and we'll call the identity provider Microsoft Entra, and this SSO integration has Single Log Out configured.

I sign into MyApp with my Microsoft account via SSO.

-When I sign into MyApp and later hit Log Out in MyApp, I am logged out of both MyApp and my Microsoft account, as would be expected.

-When I sign into MyApp and am inactive for X minutes, I reach MyApp's session timeout and am signed out of MyApp (SP). ...Should this also cause me to be signed out of my Microsoft account (IDP) or no?

Upvotes: 1

Views: 125

Answers (2)

Ogundapo Ayokunmi Emmanuel
Ogundapo Ayokunmi Emmanuel

Reputation: 51

You can find the microsoft implementation of the SAML 2.0 as it relates to SLO here:

https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-out-saml-protocol.

To answer your question, it triggers for the session participant only, and this is consistent with Microsoft implementation. You can refer to the original guideline (page 61):

https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Upvotes: 0

Wiktor Zychla
Wiktor Zychla

Reputation: 48279

The answer would be it depends purely on your requirements.

Imagine your service provider is an online shop and your identity provider is Google, quite common scenario. And then imagine the inactivity on the online shop logs you (as a user) out of your Google account.

Sounds weird.

On the other hand, if you control both the service and the identity provider and both components form a larger heterogeneous environment, it could be a requirement to terminate all sessions of all modules at once.

SAML has nothing to do with this requirement, in my opinion. Replace SAML with any SSO protocol and the question is still open.

In my experience, I've never encountered such requirement, even though I've worked on multiple ecosystems consisting of multiple services and their identity providers. It doesn't mean anything, of course, just an indication that this could be uncommon.

If there's no requirement, you are free to do it any way you want.

Upvotes: 0

Related Questions