SP API call for logout without any web redirection?

187 views
Skip to first unread message

Steve Chan

unread,
Feb 2, 2011, 11:37:42 AM2/2/11
to simpleSAMLphp
Hi,
We have SSP as an Shib 2.0 SP integrated into a web application
and it seems to be working well for login. However the logout doesn't
seem to have been implemented in a way that destroys the SAML cookie
on the browser, it simply deletes the session information for the user
in the hosting web application.

There are callbacks in the web app's logout code that I can bind
to for the SSP logout functions. Looking at the online API, the way to
do it if we want to hand over control entirely and not return from the
callback is here:
http://simplesamlphp.org/docs/1.6/simplesamlphp-sp-api#section_5

Is there a way that doesn't redirect the browser and which
returns? I am not sure how well things will behave with the rest of
the app if we hand over control entirely. I would prefer that the
local auth session in the web app be invalidated and control return to
the main app.

Looking through the source, will
SimpleSAML_Auth_Default::initLogoutReturn() do what I want?

Thanks,
Steve

--
"Sow a thought, reap an action. Sow an action, reap a habit. Sow a
habit, reap a character. Sow a character, reap a destiny." - Samuel
Smiles

Olav Morken

unread,
Feb 3, 2011, 4:28:17 AM2/3/11
to simple...@googlegroups.com
On Wed, Feb 02, 2011 at 08:37:42 -0800, Steve Chan wrote:
> Hi,
> We have SSP as an Shib 2.0 SP integrated into a web application
> and it seems to be working well for login. However the logout doesn't
> seem to have been implemented in a way that destroys the SAML cookie
> on the browser, it simply deletes the session information for the user
> in the hosting web application.
>
> There are callbacks in the web app's logout code that I can bind
> to for the SSP logout functions. Looking at the online API, the way to
> do it if we want to hand over control entirely and not return from the
> callback is here:
> http://simplesamlphp.org/docs/1.6/simplesamlphp-sp-api#section_5
>
> Is there a way that doesn't redirect the browser and which
> returns? I am not sure how well things will behave with the rest of
> the app if we hand over control entirely. I would prefer that the
> local auth session in the web app be invalidated and control return to
> the main app.
>
> Looking through the source, will
> SimpleSAML_Auth_Default::initLogoutReturn() do what I want?

No, it will not.

The issue is that for a logout to have any use, you need to also
terminate the session on the IDP. To do that, you will typically send a
LogoutRequest message to the IDP. SimpleSAMLphp currently only supports
sendling LogoutRequest messages through the HTTP-Redirect binding, so
we need to do a redirect.

Regards,
Olav Morken
UNINETT / Feide

Steve Chan

unread,
Feb 3, 2011, 4:30:49 PM2/3/11
to simple...@googlegroups.com
Olav,
Thanks for replying...

On Thu, Feb 3, 2011 at 1:28 AM, Olav Morken <olav....@uninett.no> wrote:
> No, it will not.
>
> The issue is that for a logout to have any use, you need to also
> terminate the session on the IDP. To do that, you will typically send a
> LogoutRequest message to the IDP. SimpleSAMLphp currently only supports
> sendling LogoutRequest messages through the HTTP-Redirect binding, so
> we need to do a redirect.

In our situation, I have disabled the PreviousSession handler in on
the Shib IdP, so not only is there is no SingleLogout URL, there's no
persistent sessions on the IdP anyway. The problem we have is that the
web app isn't getting rid of the local Shib session information, so it
lingers around and confuses things.

Would this code fragment get rid of the local session state? (from
SimpleSAML_Auth_Default::initLogoutReturn() )

$session = SimpleSAML_Session::getInstance();

$state = $session->getLogoutState();
$authId = $session->getAuthority();
$session->doLogout();

Olav Morken

unread,
Feb 7, 2011, 4:32:43 AM2/7/11
to simple...@googlegroups.com
On Thu, Feb 03, 2011 at 13:30:49 -0800, Steve Chan wrote:
> Would this code fragment get rid of the local session state? (from
> SimpleSAML_Auth_Default::initLogoutReturn() )
>
> $session = SimpleSAML_Session::getInstance();
>
> $state = $session->getLogoutState();
> $authId = $session->getAuthority();
> $session->doLogout();

You don't even need this much. The following should be enough

$session = SimpleSAML_Session::getInstance();
$session->doLogout('default-sp');

However, you should probably use $as->logout() if you can find a way to
do it, since that will also make it work if you later add support for
single logout to your IDP.

Steve Chan

unread,
Feb 7, 2011, 1:52:53 PM2/7/11
to simple...@googlegroups.com
Hi Olav,

On Mon, Feb 7, 2011 at 1:32 AM, Olav Morken <olav....@uninett.no> wrote:
> You don't even need this much. The following should be enough
>
>    $session = SimpleSAML_Session::getInstance();
>    $session->doLogout('default-sp');
>

Thanks - that is exactly what I ended up trying last week after I
had time to pay more attention to what I was cutting and pasting. It
seemed to work properly, and I'm grateful for your confirmation.

> However, you should probably use $as->logout() if you can find a way to
> do it, since that will also make it work if you later add support for
> single logout to your IDP.

Yes, looking closely at where the logout hook is called, we may be
able to do that without interfering with the session expiration of the
hosting application. There is a "layer 8" issue in that the semantics
of Single Sign Out are not well understood by our user community which
could lead to support issues. In any case, single signout for
Shibboleth isn't due until the release of version 3 (I know that SSP
already supports it).

Thanks,

Reply all
Reply to author
Forward
0 new messages