Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Single Logout (SLO) support - in some form

I'd like to see Solarwinds Orion support some kind of Single Logoff (SLO) functionality.

Today, the logout button (clicking your username in the top right) will log you off of Orion. However, it will not inform the IdP that you have initiated a logout. This means that if you click the SAML button again, you will be instantly logged back into Orion.

We are trying to set up our Orion instance behind Multi-Factor Authentication. We have decided to use our IdP of choice, Shibboleth, to do this. After working out kinks related to what Orion's expecting in terms of group names (Which is its own can of worms and could have its own feature request), we successfully tested our environment and logon is working like we expect.

However, we've also set up our environment with privileged access. Our standard accounts get read-only access to pretty much the entire Orion environment. Our administrator accounts get "group of groups" access to objects a team owns to perform higher level steps like muting alarms and unmanaging nodes. This means that switching between regular and elevated credentials could happen often, as there's no "step up" permissions in the system itself. Currently, using the standard Orion login page, this doesn't pose an issue. You logoff, type in the new username and password for your elevated account, and log in. But with SAML login, the IdP credentials are still live, so it lets you right through without prompting you to re-enter your credentials.

No where in the SAML setup is a place for us to specify Single Logout location, or even a redirect to go to for logging out.

In terms of Orion documentation, there's only one potential workaround given: Re-writing the functionality of the logout page: https://support.solarwinds.com/SuccessCenter/s/article/How-to-redirect-the-logout-button-to-the-summary-page?language=en_US

This workaround is, IMO, unacceptable. We do not want to edit the default web console delivered pages, because they will be overwritten with every version upgrade or reconfiguration. And if we ever went to cloud-hosted Orion, we wouldn't even have that as an option.

Having anything in the menu would be helpful. Ideal case would be a specific setting for logout behavior. Barring that, having an option in the Identity Provider page would go a long way.

Find more posts tagged with

SLO

sso

Status: None

Comments

ahbrook

I forgot to mention in the original ticket that there is a lot of discussion on the demise of third party cookies in browsers, and how that will break single logout. Ideally Solarwinds would have some kind of solution for this, that either supports back-channel communications, or would otherwise be flexible enough to let companies handle logout as they see fit.