[Shib-Users] Logout question

26 views
Skip to first unread message

Zhang, Xiaoling

unread,
Feb 3, 2009, 4:36:15 PM2/3/09
to shibbole...@internet2.edu

Hi,

 

I have an SP 2.1 talking to an IdP 1.3. The IdP has a logout servlet (https://myIdP/shibboleth-idp/Logout) which deletes some single sign on cookies (these cookies are written to user browser by our local single sign on system). In my application, logout links to https://mySP/Shibboleth.sso/Logout. In shibboleth2.xml, I have

 

<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie" >

<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>

<LogoutInitiator type="Local"/>

</LogoutInitiator>

 

<md:SingleLogoutService Location="https://myIdP/shibboleth-idp/Logout" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

<md:SingleLogoutService Location="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

<md:SingleLogoutService Location="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

<md:SingleLogoutService Location="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

 

<Errors session="sessionError.html"

            metadata="metadataError.html"

            access="accessError.html"

            ssl="sslError.html"

            localLogout="localLogout.html"

            globalLogout="globalLogout.html"

            supportContact="root@localhost"

            logoLocation="/shibboleth-sp/logo.jpg"

            styleSheet="/shibboleth-sp/main.css"/>

 

When clicking logout which links to http://mySP/Shibboleth.sso/Logout, user is redirected to page localLogout.html (I’m using the defaults here) and _shibsesion cookie is deleted. However, IdP’s logout servlet is not invoked and single sign-on cookies are not removed. When I use below, I got the same result:

<md:SingleLogoutService Location="/SLO/SOAP" ResponseLocation=” https://myIdP/shibboleth-idp/Logout” Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

<md:SingleLogoutService Location="/SLO/Redirect" ResponseLocation="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

<md:SingleLogoutService Location="/SLO/POST" ResponseLocation="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

<md:SingleLogoutService Location="/SLO/Artifact" ResponseLocation="https://myIdP/shibboleth-idp/Logout" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

 

 

IdP's log (debug level) doesn't have any record showing logout request from SP. SP's log (debug level) shows deleting _shibsession but no record of requesting IdP for logout. Looks to me IdP's logout url is not invoked.

 

Now my question is: how should I config my sp so that user can be redirected to my IdP’s logout servelt? Thanks.

 

Xiaoling Zhang

Scott Cantor

unread,
Feb 3, 2009, 5:39:29 PM2/3/09
to shibbole...@internet2.edu
Zhang, Xiaoling wrote on 2009-02-03:
> When clicking logout which links to http://mySP/Shibboleth.sso/Logout
> <http://mysp/Shibboleth.sso/Logout> , user is redirected to page

> localLogout.html (I'm using the defaults here) and _shibsesion cookie is
> deleted. However, IdP's logout servlet is not invoked and single sign-on
> cookies are not removed.

Yes, that's all it can possibly do. If you want to redirect the client when
it's done with what it supports, you can use a "return" parameter on the
URL, which is documented.

https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator

> IdP's log (debug level) doesn't have any record showing logout request
from
> SP.

How could you expect the SP to know about a non-standard logout mechanism?
(You could write a LogoutInitiator plugin, but if the logout protocol is a
simple redirect, that's silly, obviously.)

> SP's log (debug level) shows deleting _shibsession but no record of
> requesting IdP for logout. Looks to me IdP's logout url is not invoked.

Right, but how could it be? Your IdP isn't offering any supported logout
protocol the SP knows about.



> Now my question is: how should I config my sp so that user can be
redirected
> to my IdP's logout servelt? Thanks.

There's nothing you need to configure, it's a property of the URL you use.
If you want to send the browser somewhere after the SP finishes, add a
return parameter and then you're responsible for whatever happens there.

-- Scott


Zhang, Xiaoling

unread,
Feb 4, 2009, 1:57:15 PM2/4/09
to shibbole...@internet2.edu
Thank you Scott.
Reply all
Reply to author
Forward
0 new messages