Shibboleth Integration Support for SLO (Single Logout)?

151 views
Skip to first unread message

Alexander Ivanov

unread,
Mar 31, 2017, 5:40:13 PM3/31/17
to Dataverse Users Community
Hey Guys,

Is Shibboleth Single Logout supported in Dataverse?
We have a Drupal application integrated with a Dataverse instance via Shibboleth IdP/SP.  One of the remaining tasks to finalize this integration is the implementation of Single Logout with Shibboleth


It seems that I've configured everything properly for SLO for our IdP and SP.  After I log into both of our applications using SSO, I navigate to this url to trigger the SLO:
the IdP SLO Logout page displays correctly, and correctly tracks the active SP sessions associated with the IdP user, and attempts to log the user out of both Drupal and Dataverse. It successfully logs the user out of Drupal, and displays a message that the logout from Dataverse was successful as well.  However when I navigate to Dataverse, I see that my user is still logged in, even though the SSO session has been terminated.
https://dv.stage.qdr.org/Shibboleth.sso/Session shows "A valid session was not found."

So, it seems that for Dataverse, the SP correctly terminates the SSO session but the user is not logged out of the application locally.

Has anyone successfully configured Single Logout with Dataverse and Shibboleth, whether using the documented approach from the Shibboleth wiki or a custom workaround?

Thanks in advance for your help,

Alex

Philip Durbin

unread,
Mar 31, 2017, 6:04:07 PM3/31/17
to dataverse...@googlegroups.com
https://github.com/IQSS/dataverse/issues/3535 is the issue we're using to track the desire to support Shibboleth Single Log Out but we could use some help because no one on the Dataverse team has any experience running a Shibboleth Identity Provider (IdP).

It's interesting to hear that Single Log Out is supported by Shibboleth 3.2.0. I think I did most of my testing with a Shibboleth 2 IdP but Harvard recently upgraded its IdP to Shibboleth 3 and everything still works. We haven't explored the Single Log Out stuff at all. Do you have a sense of what the code change would look like? I would very much welcome a pull request for issue 3535.

Thanks,

Phil



--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/a180725d-f5b1-4fb5-8fe7-92ad3d8dbf09%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Alexander Ivanov

unread,
Mar 31, 2017, 7:02:05 PM3/31/17
to dataverse...@googlegroups.com
Hey Phil,

I think I could help implement the Shibboleth Single Logout support.  As an example I'll take a look at what the Drupal shib_auth module code is doing to perform a local logout when the SP Session is terminated.  Then I'll delve into the Dataverse code and figure out a good way to code the same process in Java for Dataverse.  I may have some questions at this stage.. if so, I'll pop into the Dataverse chat room 

I'd love to come up with a solution that works for us here at QDR, which I could also contribute to the DV codebase.

Cheers,
Alex

On Fri, Mar 31, 2017 at 6:04 PM, Philip Durbin <philip...@harvard.edu> wrote:
https://github.com/IQSS/dataverse/issues/3535 is the issue we're using to track the desire to support Shibboleth Single Log Out but we could use some help because no one on the Dataverse team has any experience running a Shibboleth Identity Provider (IdP).

It's interesting to hear that Single Log Out is supported by Shibboleth 3.2.0. I think I did most of my testing with a Shibboleth 2 IdP but Harvard recently upgraded its IdP to Shibboleth 3 and everything still works. We haven't explored the Single Log Out stuff at all. Do you have a sense of what the code change would look like? I would very much welcome a pull request for issue 3535.

Thanks,

Phil


On Fri, Mar 31, 2017 at 5:40 PM, Alexander Ivanov <al...@calmforce.com> wrote:
Hey Guys,

Is Shibboleth Single Logout supported in Dataverse?
We have a Drupal application integrated with a Dataverse instance via Shibboleth IdP/SP.  One of the remaining tasks to finalize this integration is the implementation of Single Logout with Shibboleth


It seems that I've configured everything properly for SLO for our IdP and SP.  After I log into both of our applications using SSO, I navigate to this url to trigger the SLO:
the IdP SLO Logout page displays correctly, and correctly tracks the active SP sessions associated with the IdP user, and attempts to log the user out of both Drupal and Dataverse. It successfully logs the user out of Drupal, and displays a message that the logout from Dataverse was successful as well.  However when I navigate to Dataverse, I see that my user is still logged in, even though the SSO session has been terminated.
https://dv.stage.qdr.org/Shibboleth.sso/Session shows "A valid session was not found."

So, it seems that for Dataverse, the SP correctly terminates the SSO session but the user is not logged out of the application locally.

Has anyone successfully configured Single Logout with Dataverse and Shibboleth, whether using the documented approach from the Shibboleth wiki or a custom workaround?

Thanks in advance for your help,

Alex

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/a180725d-f5b1-4fb5-8fe7-92ad3d8dbf09%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

--
You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/rSokUwua8-s/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CABbxx8EgO-EUAaF6aXoJ53eU9AWJMdjB34S94DVrm-oMsvsSkg%40mail.gmail.com.

Philip Durbin

unread,
Apr 1, 2017, 9:10:52 AM4/1/17
to dataverse...@googlegroups.com
Sounds great! Yes, please feel free to pop in http://chat.dataverse.org any time. There's also https://groups.google.com/forum/#!forum/dataverse-dev if you'd like to reach more developers at once.


Thanks,

Phil

To unsubscribe from this group and all its topics, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CABbxx8EgO-EUAaF6aXoJ53eU9AWJMdjB34S94DVrm-oMsvsSkg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CAHDVj4BvhJjNjN%2BxMiMrdatAYFigMe8UPGx30Rd9Mvn2SrSBVw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages