I am wondering if anyone can confirm this is the expected behavior from lastpass browser extension:
When I login as a federated user, the extension will direct me to the SSO OP ( Azure AD ) login page as expected. When I logout from the extension, then login again, it asked me to provide login email, then immediately log me in without redirecting me to OP login page. I tried Chrome,Edge and Firefox, same result.
Looks like when I logout from the extension, it didn't send a logout request to the OP, so my browser session is still login with the OP.
Can anyone from Lastpass confirm this is the supposes behavior for federated user:
When logout from lastpass browser extension, user is not really logout from SSO and he can login back without password?
@jackchenwork LastPass also keeps a login connection through cookies, and won't require SSO if you're still using the same device within a designated time frame.
It doesn't look like the issue is caused by LastPass site cookie.
For none-federated user, when user logout from extension, Lastpass user session cookies probably will be deleted, and when user login again, he is prompted to type password.
For federated user, when user logout from extension, Lastpass user session cookies probably will also be deleted, and when user login again, he is directed to Azure AD login page ( this shows Lastpass is asking the user to re-login), but then user is immediately login without being asked to type Azure AD password and MFA.
I think the issue is when user logout from extension, Lastpass doesn't send a logout request to the SSO provider.