This detection rule identifies potential open redirect vulnerabilities associated with Shibboleth Single Sign-On (SSO) logout links. The rule is designed to scan incoming requests for URLs that either directly include the path '/Shibboleth.sso/Logout' with a return parameter or include URL-encoded versions of these components in the query parameters. The use of the Shibboleth logout endpoint with a return parameter can lead to security risks if exploited by attackers to redirect users to malicious sites. The rule ensures it only triggers on senders whose email domains are deemed 'non-common', potentially filtering out benign traffic from known entities and focusing on less reputable sources. Given its severity level, it emphasizes the importance of validation in operational environments, especially considering the tactic of evasion utilized in open redirect attacks. The rule employs multiple detection methods, including HTML and URL analysis, as well as sender analysis, to effectively identify potentially harmful links that could facilitate credential phishing attempts. This comprehensive approach aids in mitigating the risks posed by open redirects in SSO implementations.