We are still struggling to get SAML integrations to production. The actual standard isn't that bad (its just XML and X509...), the hard part is getting the business to understand certain caveats. SSO is not a win-win situation. It is an exercise in trade-offs.
It took an entire meeting to get our stakeholders to understand the unfortunate implications of single sign out... Also, asking the question "do all your SSO apps operate in the same security context" was a great way to summon some additional dragons.
We ultimately wound up at something where SAML can initiate sessions in our application, but the user is forced to re-authenticate with the IdP every time (so we eliminated the first S). Additionally, once a session is initiated, there is no taking it back from an IdP perspective. The only way to revoke a session is from our software via an internal timeout or application-specific logout action.
So, really all we've done is implement same sign-on. Single sign-on is emerging as some sort of fantasy timeline where everyone still works in a secure physical office and can associate shared tokens to a time clock or badge system.
Infant speak for all IdP's but Azure allows for configuring a sign out url to solve this issue - when the user signs out of their Azure AD account, the sign-out url is called so that the application can revoke the users session.
It took an entire meeting to get our stakeholders to understand the unfortunate implications of single sign out... Also, asking the question "do all your SSO apps operate in the same security context" was a great way to summon some additional dragons.
We ultimately wound up at something where SAML can initiate sessions in our application, but the user is forced to re-authenticate with the IdP every time (so we eliminated the first S). Additionally, once a session is initiated, there is no taking it back from an IdP perspective. The only way to revoke a session is from our software via an internal timeout or application-specific logout action.
So, really all we've done is implement same sign-on. Single sign-on is emerging as some sort of fantasy timeline where everyone still works in a secure physical office and can associate shared tokens to a time clock or badge system.