I stumbled across a use-case that seems to be quite normal for SAML:
Logging into app1, opening app2 SSO authenticates automatically
Logging out of app 2, refreshing app1 – app1 remains logged in
I’ve checked the source code of a popular SAML implementation, and it just checks the cookie lifetime
https://github.com/simplesamlphp/simplesamlphp/blob/master/src/SimpleSAML/Session.php#L768
Is SAML designed to not check the validity of a session with the IDP? That would actually result in a SLO.
Yet how it is implemented here, only the SSO part actually seems to work.
It seems some IDPs actually provide a backchannel logout
https://www.identityserver.com/articles/the-challenge-of-building-saml-single-logout
and it seems keycloak is a choice that does not provide this feature
https://www.keycloak.org/docs/25.0.6/server_admin/index.html#signing-out-all-active-sessions
So I am guessing that using keycloak the only method reduce security risks is to reduce session lifetime?
https://gist.github.com/dangtrinhnt/9930327#file-config-php-L218
You need to sign in to view this answers