There are, at least in SAML, no real guidelines for:

  • The use of cookies in any capacity during SSO or SLO.
  • The user interface for the full orchestration of SLO.

Since these two things are out of scope of the standard, it's difficult to speak in absolutes about this issue. However, understanding the constraints of implementing a SLO interface, it is likely that many, if not most, SLO experiences are managed by the IdP and implemented using hidden iframes because that's the only obvious way to implement a large number of interactions with an unbounded set of third party sites (the SPs). Additionally, many SPs and applications require access to the cookie state between the SP and the browser to implement a logout.

Thus, it is common that the session cookies issued by the SPs (as first party cookies) are expected to be transmitted within frames hosted by the IdP, at which point they're treated as third party.

Blocking third party cookies outright thus is likely to impact the ability of many SAML SPs to successfuly execute a logout when requested by the IdP. Allowing cookies previously issued in a first party context to be sent to the SP in a third party context is one of the mitigations for this issue, and historically is what some browsers have done.

  • No labels