Showing results for 
Search instead for 
Did you mean: 

User time-out procedure enhancement

About Idea Conversations
In the Canvas Community Ideas space, you can share, converse, and rate idea conversations related to software improvements to Canvas products.

User time-out procedure enhancement

In our current setup Canvas access is enabled via SSO through a portal (i.e. faculty/students cannot log on through the direct link but can only access their courses through the portal). When a Canvas user logs out, they are redirected back to the SSO login page. However, if a user allows the Canvas session to time out, they are allowed to log back to Canvas via, a URL which returns the user to the application without entering their credentials.

For example: our SSO timeout is set to 4 hours for the convenience and productivity of our administrative users. Our Canvas timeout is set to 1 hour to limit the exposure for users on public computers (often students will work in a lab and forget to log out therefore another student using the same computer afterwards can potentially use the previous student's Canvas account).  It isn’t until the end of the 4 hour SSO timeout that Canvas users are actually timed out. 

One of the options/enhancements below would help us resolve this vulnerability:

1. Allow the url displayed at timeout to be that of the SSO login page and not the 

2. Canvas to initiate an SSO logout at timeout time. 

All other applications we have integrated with SSO offer at least one of these options. 

Tags (3)