problem logging out of Google Apps for Education

[Keith Alston]

We're using SimpleSAMLphp(V 1.8) to provide SSO for Google Apps for Education.

LogIN works great when using all browsers: FireFox, Chrome, IE, Safari, on various platforms.

LogOUT works great when using all browsers EXCEPT Firefox. Simply trying to logout using the link on the gmail page. When it works, it redirects the browser to the logout page in the SSO config. When it doesn't work it redirects the user to the standard gmail login page accounts.google.com/ServiceLogin... if I then enter our login URL, I'm placed right back into gmail, without having to enter any credentials. So, I was not actually logged out. If I navigate to docs or accounts or anywhere other than gmail, I am correctly logged out and sent to the logout page set in our SSO config

This behavior is consistent between Firefox 7 and 8 on XP, Windows 7 and MacOS.

Any ideas on what might be the problem would be greatly appreciated!

[Claudio Cherubino]

Hi,

Google Apps doesn't support Single Sign-Out but simply redirects the user to the logout page you provide, so you either have to clear the session on your side when the user is redirected or have him close the browser window.

Claudio

--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/ggC8LEqSWAgJ.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-saml...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-saml-sso?hl=en.

[Keith Alston]

Then I guess the problem is that for some reason, when using Firefox the redirect(to the logout page) sometimes does not happen properly.

Ideas??

[Jesse Thompson]

I've never seen that problem. I would first install FireBug or
LiveHTTPHeaders in FireFox to confirm that Google isn't redirecting to
the logout page, as opposed to the logout page redirecting back to
Google. If you open a case with Google about the issue, they will ask
for that level of troubleshooting to be done first.

Jesse

[Glen Holcomb]

Keith,

I'm seeing the same behavior occasionally.  It's not even consistent in the scope of a specific browser for me.  Did you ever figure out what was going on?

-Glen

[Jack]

Could this be a JavaScript issue? Are you certain that all the browsers are allowing them? 

Try to find the URL where it fails and the console may give you the error. Using Fiddler may help too (?)

--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/4GheRHliHCEJ.

[Stafford Marquardt]

Indeed, it's important that we properly understand the flow of events that you're experiencing.  Here's what's supposed to happen.

In an SSO-enabled environment it's expected that when you click "Sign out" from a Google application (let's take Gmail for example):

1) You will be signed out of Google, via https://mail.google.com/mail/u/0/?logout&hl=en followed by a series of other logout URLs

2) You will hit a domain-specific logout URL (https://www.google.com/a/{yourdomain.tld}/Logout2) which will then refer you to your portal for SSO logout (this redirection goes to whatever logout page you've specified in the Control Panel

3) Your SSO portal takes over and logs the user out of SSO

So if you notice that the logout isn't proceeding as expected, I'd like to understand a few things:

1) Does it only happen with a particular app, such as Gmail?  Or is it persistent across the Apps suite?

2) Does it occur with Google-initiated logout or IdP-initiated logout?

3) Is the redirect to SSO logout page being missed (step 2->3 above)?  It should be right around https://www.google.com/a/{yourdomain.tld}/Logout2 in the logout flow, as described above.

Thanks - happy to look into this a bit further for you.

[Brieuc Schaff]

We are also experiencing this kind of issue from time to time since a couple of months with Google Apps for Business.

We have a robot performing test scenarios: - try to access a google service, gets redirected to the sso login page, logs in, gets redirected to the google service, logs out.

19 times on 20 everything works fine, but sometimes, the logout redirects to Google login page instead of our SSO login page. We have observed on our side that this occurred 99% of the time from the spreadsheet service.

It's really random, so it's difficult to get something with httpfox.