[Sign Out / SM] SAML Single Log Out (SLO)

[timcappalli]

No description provided.

[timcappalli]

Old comments:

@hlflanagan
A how-to on SAML SLO that may help inform the issue before we get the scenario documented: https://www.identityserver.com/articles/the-challenge-of-building-saml-single-logout

@hlflanagan:

Useful discussion on an R&E slack channel (shared with permission) -
SLO works however people implement it, but the most common ones I know of, including the one I'm stuck maintaining, tend to rely on third-party cookies.
SSO itself does NOT, not ever, require third-party cookies. People doing that are the ones using SSO as an excuse to also implement tracking, which is how Google justifies SSO in its mind. So they use them. SAML does not.
The other case is a sort of "tools integration" style for apps where one app appears inside another, and that's frames. When you add SSO to that, you get the problems with third-party cookies, but it's a consequence of the UI model, not SSO itself.

@bc-pi
The https://www.identityserver.com/articles/the-challenge-of-building-saml-single-logout article mentions "using iframes instead of HTTP redirection" which will likely stop working when 3rd party cookies go away (or become partitioned by top level site). But the traditional (or "old fashioned" as the article calls it) redirect chain approach shouldn't rely on third-party cookies and so shouldn't be impacted. That seems like maybe a meaningful distinction. But I dunno - maybe it's just lost in all the noise. Or maybe I don't actually know what I'm talking about.