[Shib-Users] Logout problem in Shibboleth 2

[migue...@yahoo.com]

Hello,

I have installed and configured IdP, SP and DS and I have protected one test application with the SP.

When I access the application, everything works correctly: I am directed to the DS page, where I choose one IdP, then I login, then I am sent back to my application. Inspecting the HTTP header variables I see everything is there:

SHIB_APPLICATION_ID="default"
SHIB_AUTHENTICATION_INSTANT="2008-10-29T16:32:04.230Z"
SHIB_AUTHNCONTEXT_DECL="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
SHIB_IDENTITY_PROVIDER="https://xxxxxx/idp/shibboleth"
SHIB_SESSION_ID="_648eafd4d5dbd48a8f9e05650753936b"

The problem I have is when I try to logout. My logout servlet destroys my app's session and then redirects to /Shibboleth.sso/Logout.
Then I see the SP logout page with the messages:

"Global Logout
Status of Global Logout: Identity provider does not support SAML 2 Single Logout protocol.

If the message above indicates success, you have been logged out of all the applications and systems that support the logout mechanism.

It is still strongly advised that you close your browser to complete the logout process."

Looking at the SP log files, I see:

2008-10-29 14:16:28 DEBUG Shibboleth.Listener [1]: dispatching message (default/Logout::run::SAML2LI)
2008-10-29 14:16:28 DEBUG Shibboleth.SessionCache [1]: searching for session (_3c563f18dde0c9228a28f53ce84dbc2f)
2008-10-29 14:16:28 DEBUG Shibboleth.SessionCache [1]: reconstituting session and checking validity
2008-10-29 14:16:28 WARN Shibboleth.LogoutInitiator.SAML2 [1]: no compatible front channel SingleLogoutService, trying back channel...
2008-10-29 14:16:28 INFO Shibboleth.SessionCache [1]: removed session (_3c563f18dde0c9228a28f53ce84dbc2f)

Logging level is set to debug, as you can see. In shibboleth2.xml I have the default LogoutInitiator set at installation:

<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
<LogoutInitiator type="SAML2" template="bindingTemplate.html" />
<LogoutInitiator type="Local" />
</LogoutInitiator>

The SingleLogoutServices are also the default:

<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

Is this behavior expected ?
Is there something extra to configure in IdP or SP metadata in order to use the SP Logout ?

I am using the following binary distributions:
shibboleth-idp-2.0.0-bin.zip
shibboleth-sp-2.1-win32.msi
discoveryservice-1.0.0-bin.zip

Everything is running on the same Windows server with Tomcat 6 and Apache 2.2.

Regards,
Marcio.

[Scott Cantor]

> The problem I have is when I try to logout. My logout servlet destroys my
> app's session and then redirects to /Shibboleth.sso/Logout.
> Then I see the SP logout page with the messages:
>
> "Global Logout
> Status of Global Logout: Identity provider does not support SAML 2 Single
> Logout protocol.

That's exactly what you should get with an IdP doesn't support SLO. What
part isn't clear?

The content of that page of course is also entirely up to you.

-- Scott

[Marcio Andrade]

The part the isn't clear are the numerous references to the Single Logout service. The name a few:

Section named "SAML2 LogoutInitiator" on
https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator

And on shibboleth2.xml:
"LogoutInitiators enable SP-initiated local or global/single logout of sessions."

"<LogoutInitiator type="SAML2" template="bindingTemplate.html" />"

"md:SingleLogoutService locations handle single logout (SLO) protocol messages."

All that information leads one to believe that Single Logout is available. If that is not the case, such information serves only to confuse.

Since SAML2 supports SLO and Shibboleth2 uses SAML2, adding to the confusion.

Regards,
Marcio.

--- Em qua, 29/10/08, Scott Cantor <cant...@osu.edu> escreveu:

Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com.
http://br.new.mail.yahoo.com/addresses

[Russell Beall]

Marcio,

There have been a lot of postings regarding the issues of Single
Logout. It is not currently supported at the IdP level. If you need
logout, you should probably just use the local shibboleth logout
service for your application.

<LogoutInitiator type="Local" />

For more info on this, seek the wiki page regarding SLO Issues:

https://spaces.internet2.edu/display/SHIB2/SLOIssues

Russ.

[Scott Cantor]

> The part the isn't clear are the numerous references to the Single Logout
> service. The name a few:

That's all SP stuff, and it all works, mostly.

> All that information leads one to believe that Single Logout is available.
> If that is not the case, such information serves only to confuse.

I never said, nor does that message say, that it's not available in the SP.
It is. It is not available in the IdP, nothing in the configuration says it
is, and the error message you get says exactly that. That's why I'm asking
what it should say to make it clearer. It was a serious question, not a
sarcastic one. It's an easy change if the wording can be improved.

> Since SAML2 supports SLO and Shibboleth2 uses SAML2, adding to the
> confusion.

https://spaces.internet2.edu/display/SHIB2/ShibProtocols

-- Scott