cancel
Showing results for 
Search instead for 
Did you mean: 
jackchenwork
New Contributor

Federated user logout doesn't work as expected

I am wondering if anyone can confirm this is the expected behavior from lastpass browser extension:

 

When I login as a federated user, the extension will direct me to the SSO OP ( Azure AD ) login page as expected. When I logout from the extension, then login again, it asked me to provide login email, then immediately log me in without redirecting me to OP login page.  I tried Chrome,Edge and Firefox, same result.

 

Looks like when I logout from the extension, it didn't send a logout request to the OP, so my browser session is still login with the OP. 

 

 

3 REPLIES 3
jackchenwork
New Contributor

Re: Federated user logout doesn't work as expected

Can anyone from Lastpass confirm this is the supposes behavior for federated user:

 

When logout from lastpass browser extension, user is not really logout from SSO and he can login back without password?

 

Thanks,

AshC
GoTo Moderator

Re: Federated user logout doesn't work as expected

@jackchenwork  LastPass also keeps a login connection through cookies, and won't require SSO if you're still using the same device within a designated time frame. 

 


Ash is a member of the GoTo Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!
jackchenwork
New Contributor

Re: Federated user logout doesn't work as expected

It doesn't look like the issue is caused by LastPass site cookie.

 

For none-federated user, when user logout from extension, Lastpass user session cookies probably will be deleted, and when user login again, he is prompted to type password. 

 

For federated user, when user logout from extension, Lastpass user session cookies probably will also be deleted, and when user login again, he is directed to Azure AD login page ( this shows Lastpass is asking the user to re-login), but then user is immediately login without being asked to type Azure AD password and MFA.

 

I think the issue is when user logout from extension, Lastpass doesn't send a logout request to the SSO provider.