In regards of this whole SAML-implementation - and the thing i am struggling with is the issue of Single-Logout.
If i logout of my CheckMK site i am only logged off the local site, but not in a federative way.
This means that when i refresh/point my browser back to the (base) url where the module takes hold i will login (within the session-time on my IDP) without any interaction.
The module facilitates SLo features, howevcer without a means to adapt the logout link from CheckMK itself its not going to be effective.
So can we get a hook on the logout-url/ be able to manipulate it ?
For a clarification as to why this is wanted :
- Imagine i am logging into CheckMK from a public pc ( secured over SAML, with a method which forces 2FA)
- i logoff the CheckMK site, as i needed to do a bathroom-break, so expecting to when i logoff i am actually loged out.
- while i am in the bathroom someone takes a seat, and presses refresh, and … uhm - unexpected he’s in my CheckMK session as it was still validated at the IDP. This soulds like a VERY bug oopsie.
Remember, such scenarios are hypothetical, but still pose a serious risk in using federated login without federated logout !