Hi,
I have an SP 2.1 talking to an IdP 1.3. The IdP has a logout servlet (https://myIdP/shibboleth-idp/Logout) which deletes some single sign on cookies (these cookies are written to user browser by our local single sign on system). In my application, logout links to https://mySP/Shibboleth.sso/Logout. In shibboleth2.xml, I have
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie" >
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<md:SingleLogoutService Location="https://myIdP/shibboleth-idp/Logout" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<Errors session="sessionError.html"
metadata="metadataError.html"
access="accessError.html"
ssl="sslError.html"
localLogout="localLogout.html"
globalLogout="globalLogout.html"
supportContact="root@localhost"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<md:SingleLogoutService Location="/SLO/SOAP" ResponseLocation=” https://myIdP/shibboleth-idp/Logout” Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect" ResponseLocation="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST" ResponseLocation="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact" ResponseLocation="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
IdP's log (debug level) doesn't have any record showing logout request from SP. SP's log (debug level) shows deleting _shibsession but no record of requesting IdP for logout. Looks to me IdP's logout url is not invoked.
Now my question is: how should I config my sp so that user can be redirected to my IdP’s logout servelt? Thanks.
Xiaoling Zhang
Yes, that's all it can possibly do. If you want to redirect the client when
it's done with what it supports, you can use a "return" parameter on the
URL, which is documented.
https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator
> IdP's log (debug level) doesn't have any record showing logout request
from
> SP.
How could you expect the SP to know about a non-standard logout mechanism?
(You could write a LogoutInitiator plugin, but if the logout protocol is a
simple redirect, that's silly, obviously.)
> SP's log (debug level) shows deleting _shibsession but no record of
> requesting IdP for logout. Looks to me IdP's logout url is not invoked.
Right, but how could it be? Your IdP isn't offering any supported logout
protocol the SP knows about.
> Now my question is: how should I config my sp so that user can be
redirected
> to my IdP's logout servelt? Thanks.
There's nothing you need to configure, it's a property of the URL you use.
If you want to send the browser somewhere after the SP finishes, add a
return parameter and then you're responsible for whatever happens there.
-- Scott