User time-out procedure enhancement

Idea created by Alisa Kadenic-Newman on Nov 14, 2018
    Open for Voting

    In our current setup Canvas access is enabled via SSO through a portal (i.e. faculty/students cannot log on through the direct link but can only access their courses through the portal). When a Canvas user logs out, they are redirected back to the SSO login page. However, if a user allows the Canvas session to time out, they are allowed to log back to Canvas via, a URL which returns the user to the application without entering their credentials.


    For example: our SSO timeout is set to 4 hours for the convenience and productivity of our administrative users. Our Canvas timeout is set to 1 hour to limit the exposure for users on public computers (often students will work in a lab and forget to log out therefore another student using the same computer afterwards can potentially use the previous student's Canvas account).  It isn’t until the end of the 4 hour SSO timeout that Canvas users are actually timed out. 


    One of the options/enhancements below would help us resolve this vulnerability:

    1. Allow the url displayed at timeout to be that of the SSO login page and not the 

    2. Canvas to initiate an SSO logout at timeout time. 


    All other applications we have integrated with SSO offer at least one of these options.