IdpSession Logout Problems

Cantor, Scott cantor.2 at
Thu Nov 3 16:43:44 GMT 2011

On 11/3/11 12:10 PM, "Skylar Hansen" <shansen at> wrote:
>I haven't thought all of this through, but it would makes sense to me if
>the SP could do a double check for a valid Idp session in the Idp
>session database periodically and then, if there isn't a valid Idp
>session found it would update the session records and attempt to logout.

I don't think it's easier to invent a new protocol for tying sessions
together and add a database to the IdP than to just change the SP to track
logout requests independently of a cookie showing up.

>Something along these lines, I would think, would allow for a more
>complete logout even if someone had signed in on multiple browsers.

I don't think it's our intent to treat multiple browser sessions as
related unless the SAML logout features for doing that are used.

> The UI could at least report an accurate status of complete or partial

The point is whether it helps if the answer is always partial. And what
does that mean? It's circular. If you can't logout any other way, then
you're being told "you're screwed". If you can, then you didn't need the
logout protocol.

>You could argue that if it isn't a Shibboleth app, then it is beyond the
>scope of Shibboleth. I think most people would understand that.

There really aren't many Shibboleth apps. Most apps do their own sessions,
so by that definition, it would rarely if ever apply.

>It seems that avoiding ambiguity with users works best when possible. My
>management actually insisted that I NEVER tell users about Shibboleth.
>He doesn't even want to hear the word outside of our office.

I don't blame him. But if the common case is ambiguous, you're kind of

>I also have the portal doing a bunch of logouts from a custom portal
>logout page. When those are done, the portal redirects to a custom
>logout.jsp page on the Shibboleth Idp that deletes the Shibboleth
>_idp_session and Shibboleth JSESSIONID cookies, and then invalidates the

Just FYI, there is no JSESSIONID cookie involved at the IdP unless you
added something that's using it.

-- Scott

More information about the users mailing list