How to Logout Shibboleth Service Provider session at logout (Dspace 7)
35 views
Skip to first unread message
Guillermo Fernández
Jun 17, 2023, 11:31:57 AM6/17/23
to DSpace Community
Hello,
Actually we prepare DSpace 7.5 for login using Shibboleth and it is working fine but the logout endpoint only dispose the server side session. It does not d anything (like a redirect) to logout the Shibboleth Service Provider session.
It says for "POST /api/authn/logout"
"...This invalidates the token on the server side which will results in logging out the user on every device or browser. It can also be called with params action and return, required by the Shibboleth Single Logout (front channel), with the same behaviour...."
We are using the DSpace UI AngularJS Frontend. The Logout Button makes a POST request to the logout endpoint and we didn't find a configuration option to set de Shibboleth.sso/Logout URL.
We can internal rerwrite that POST request to set the action or return parameter "required by the Shibboleth", but we don't know what the endpoint expects.
Any example of invoking the logout endpoint within the parameters would be appreciated.
Thanks in advance!
Regards
Guillermo
Guillermo Fernández
Jun 18, 2023, 10:28:39 PM6/18/23
to DSpace Community
I hope to be wrong but...
Reviewing project code I see that out that the configuration is made in the WebSecurityConfiguration:
// Logout configuration
.logout()
// On logout, clear the "session" salt
.addLogoutHandler(customLogoutHandler)
// Configure the logout entry point & require POST
.logoutRequestMatcher(new AntPathRequestMatcher("/api/authn/logout", HttpMethod.POST.name()))
// When logout is successful, return OK (204) status
.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.NO_CONTENT))
// Everyone can call this endpoint
.permitAll()
.and()
.logout()
// On logout, clear the "session" salt
.addLogoutHandler(customLogoutHandler)
// Configure the logout entry point & require POST
.logoutRequestMatcher(new AntPathRequestMatcher("/api/authn/logout", HttpMethod.POST.name()))
// When logout is successful, return OK (204) status
.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.NO_CONTENT))
// Everyone can call this endpoint
.permitAll()
.and()
So there is no way to custom logout behavior.
And investigating a little more about the "the action or (and) return parameter" I found the following push request with everything we would like to have: Shibboleth Single Logout support #2758
Am I missing something?
Reply all
Reply to author
Forward
0 new messages