In our current setup Canvas access is enabled via SSO through a portal (i.e. faculty/students cannot log on through the direct link but can only access their courses through the portal). When a Canvas user logs out, they are redirected back to the SSO login page. However, if a user allows the Canvas session to time out, they are allowed to log back to Canvas via myschool.instructure.com/login, a URL which returns the user to the application without entering their credentials.
For example: our SSO timeout is set to 4 hours for the convenience and productivity of our administrative users. Our Canvas timeout is set to 1 hour to limit the exposure for users on public computers (often students will work in a lab and forget to log out therefore another student using the same computer afterwards can potentially use the previous student's Canvas account). It isn’t until the end of the 4 hour SSO timeout that Canvas users are actually timed out.
One of the options/enhancements below would help us resolve this vulnerability:
1. Allow the url displayed at timeout to be that of the SSO login page and not the myschool.instructure.com/login.
2. Canvas to initiate an SSO logout at timeout time.
All other applications we have integrated with SSO offer at least one of these options.