User time-out procedure enhancement

Idea created by Alisa Kadenic-Newman on Nov 14, 2018
    Open for Voting
    Score10

    In our current setup Canvas access is enabled via SSO through a portal (i.e. faculty/students cannot log on through the direct link but can only access their courses through the portal). When a Canvas user logs out, they are redirected back to the SSO login page. However, if a user allows the Canvas session to time out, they are allowed to log back to Canvas via  myschool.instructure.com/login, a URL which returns the user to the application without entering their credentials.

     

    For example: our SSO timeout is set to 4 hours for the convenience and productivity of our administrative users. Our Canvas timeout is set to 1 hour to limit the exposure for users on public computers (often students will work in a lab and forget to log out therefore another student using the same computer afterwards can potentially use the previous student's Canvas account).  It isn’t until the end of the 4 hour SSO timeout that Canvas users are actually timed out. 

     

    One of the options/enhancements below would help us resolve this vulnerability:

    1. Allow the url displayed at timeout to be that of the SSO login page and not the myschool.instructure.com/login. 

    2. Canvas to initiate an SSO logout at timeout time. 

     

    All other applications we have integrated with SSO offer at least one of these options.