Hey! I’m new here and figured I’d ask this community. I’ve been in cyber risk management and security architecture for the past five years. Recently migrated to a cloud native company so my on-prem mindset still holds a lot of weight in my thinking.
Today, we have a cloud hosted platform that third-party’s can federate their users into (for this scenario, assume the user has successfully authenticated with their Company’s IdP, which could also include MFA). After signing in via federated SSO within our platform the user is free to do what they’re authorized to do. When they’re done and wish to logout, there are two options – let the session idly timeout or the user can click ‘Logout.’ In both cases when the session is terminated all session “material” is invalidated. When the user attempts to log back into the platform, they will be taken back to a login screen but are presented with a ‘Refresh;’ upon clicking ‘Refresh,’ they are brought to a screen where they enter their user ID but no password. Upon clicking ‘Login’, they log back into the platform as if they never clicked ‘Logout’; new session “material” is created and is used going forward.
My on-prem mindset says this is a risk/issue because we should be forcing users to re-authenticate with their full set of creds; however, our appdevs say this is by design.
I have done some research on the interwebs. Everything I read seems that this is by design because the authN token/assertion from the IdP remains valid. The user never terminated their session with their IdP, just our platform. We can send a value to the IdP to invalidate the authN token, et al., however, I have a sneaking suspicion that the user may get logged out of every other session relying on that IdP’s authN token/assertion.
Is this an issue or is this how federation should work?