raphendyr
commented
4 years ago SSO Logout is very horrible problem and there doesn't seem to be any full implementations. The best is to clear all authentication tokens (cookies) from the browser.
However, it should be possible to provide link for user to also logout from the SSO system, which still wouldn't logout the user from other services (e.g. mycourses in Aalto).
This might be good point to start researching that https://auth0.com/docs/logout/log-users-out-of-saml-idps
markkuriekkinen
We could more explicitly warn users that when they log out from A+, they may still have an active session in the university identity provider and it may be possible to log back into A+ without typing any password. This might apply to Google login too. We could also consider logging the user out in the identity provider if possible.
From a teacher:
Aplus login has this ”feature” that I think is a bug: if you login with a certain account and then log out and the log in again, it does not forget you, but you can log in without giving an account or password. I.e., after logout, if you click ”kirjaudu sisään”/"log in", it goes to Aalto login page, but if you click ”Aalto-kirjautuminen”/"Aalto login", it does not ask your account nor password, but you are logged in again with the earlier name!
I don’t know if this is a browser issues, but as far as I can see, after logout nobody should be able to login again to any account without giving the password again…
My first response:
This occurs when the user's session is still active in the Aalto IdP (identity provider) server and it behaves the same way in other Aalto systems, for example, http://aalto.fi. If you clear the browser cookies or open a private browsing window, you can see that the IdP does not remember any old sessions. Closing the browser probably also clears the IdP session cookies.
I don't consider this a bug. It might be possible to close the user's session in the IdP when the user logs out from A+, but usually the log out in a service is not supposed to clear the IdP session. When the IdP session is active, the user can log in to any Aalto system without typing in the password (and that is intentional).