Using EndSessionCallback to enable SLO from an RP iframe

[hundis]

Usage of EndSessionCallback to enable SLO from an RP iframe

Hi, Is it wise to call the endsessioncallback endpoint directly from an RP embedded iframe? The case we would like to support is a client centered SLO where we present a modal directly in the client application when performing logout. I can see that this endpoint supresses the same origin policy when a valid sid is presented so I was just wondering if this could be considered a valid use case or simply a really bad idea ;)

Cheers!

[brockallen]

Is it wise to call the endsessioncallback endpoint directly from an RP embedded iframe?

Can you elaborate on this? When we do SLO in iframes to callback endpoints we authenticate the calls passing the sid claim. It's up to the client app to validate it.

The case we would like to support is a client centered SLO where we present a modal directly in the client application when performing logout.

Popup or iframe? Any UI we present is using XFO, yes.

[hundis]

Our initial idea was to perform the idsrv logout in an iframe within the client web application so that the user isn't redirected to another system during logout.

If we were to relax the XFO on the logout endpoint what risks would be present? We understand that evil doers could perform logout on the users behalf, are there any other repercussions?

[brockallen]

Our initial idea was to perform the idsrv logout in an iframe within the client web application so that the user isn't redirected to another system during logout.

Why not just control this at the external IdP middleware?

If we were to relax the XFO on the logout endpoint what risks would be present? We understand that evil doers could perform logout on the users behalf, are there any other repercussions?

Yes, trigger logout of all the user's apps.