Regarding Single Logout

[Naveen Davis]

Thanks for the information. It works now!!!

I am trying to test out a use case scenario where the user is provided
with an option for local logout and single/global logout. But as if now
even the local logout handler "/Shibboleth.sso/Logout" is also getting
redirected to the Idp logout. I am wondering what should be done so that
the local logout doesn't invalidates the Idp session and displays the
local/partial logout template.

BR,
Naveen

On Wed, 2011-08-10 at 21:14 +0200, Kristof Bajnok wrote:
> On 2011. August 10. 14:51:55 Naveen Davis wrote:
> > I am new to shibboleth and I have been trying to implement single logout
> > in shibboleth. I have installed & configured the Hungarian SLO
> > Shibboleth Idp (version 2.2.0) on my Ubuntu(version 10.04) machine. The
> > Shibboleth SP ( version 2.4.3) is running on CentOS(version 5.5) in
> > Vmware. The shibboleth SSO is working fine.But the single logout is not
> > working at all and IdP still have an active SSO session after logging
> > out. It just displays an error message stating missing endpoint security
> > requirements. 
> 
> It's because the IdP requires the SLO messages to be signed, as mandated in 
> the profile, but the SP does not do it by default.
> 
> See https://wiki.aai.niif.hu/index.php/ShibIdpSLO#Non-trivial_settings for 
> more details. In short: you should either get all your SPs to sign messages or 
> disable mandatory message authentication at the IdP.
> 
> > I would like to know am I missing any key configurations in Idp and SP
> > for enabling single logout. Also is there any good reference on Single
> > logout/Hungarian SLO configurations apart from the wiki page.
> 
> There are a couple of "why is SLO problematic" kind of pages, you should read 
> them. My more recent one is at 
> https://fed-lab.org/best-practises/single-logout/
> 
> Kristof
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net