79255258

Date: 2024-12-05 15:25:23
Score: 1.5
Natty:
Report link

... The problem with this is that when I log out of WordPress, my website still thinks I'm logged in until the session ends.

Is this the intended behaviour? ...

You click logout at wordpress and expect it to propagate logout to your SP(?) i.e. you are talking about IdP initiated SLO (single logout).

I am not familiar with using Wordpess as SAML IdP but maybe you are using this plugin https://wordpress.org/plugins/miniorange-wp-as-saml-idp/

At the time of writing aforementioned page says that SLO is premium feature:

  • Single Logout Terminate user’s Single Sign-On session on WordPress as well as on Service Provider applications, when the user logs out of your WP site or any configured Service Provider application. (Premium Feature)

So you would have to have that enabled in order to have chance to accomplish IdP initiated SLO.

Furthermore SLO is harder than SSO. passport-saml doesn't provide fully functional SLO out of the box. See further details from: https://github.com/node-saml/passport-saml/blob/v5.0.0/README.md#slo-single-logout

tl;dr; there are multiple things that you have to consider when implementing support for IdP initiated SLO and implementation depends on how you have choosef to manage sessions etc.

And last but not least answer to your question: if your IdP doesn't support SLO (or if you have not implemented support for SLO to your application) it is expected behaviour

Reasons:
  • Blacklisted phrase (1): this plugin
  • Long answer (-1):
  • No code block (0.5):
  • Contains question mark (0.5):
  • Low reputation (0.5):
Posted by: jkginkih