SP Logout

Cantor, Scott cantor.2 at osu.edu
Tue Nov 22 16:07:20 GMT 2011

On 11/22/11 10:44 AM, "Natarajan, Senthil" <senthil at pitt.edu> wrote:

>If the SP logout, what needs to be cleared (Session, Cookie etc.) so that
>they will be redirected to the Idp for Authentication (even though the
>default session timeout period is not reached)

The supported mechanism is the LogoutInitiator endpoint, installed by
default. The Local plugin will always clear the local session regardless
of whether SAML logout is possible, which it generally isn't.

Of course most IdPs will immediately just reauthenticate the user, and
using ForceAuthn doesn't always change that (consider Kerberos or
certificate-based authentication).

If you want to manually clear the SP's cookie, you can, but I will not
tell you what the cookie's name is, it's not a public API. The cookieName
option is one way of overriding that and forcing a name you control, but
it isn't necessary in most cases.

>Is SP logout functionality can be achieved using the Forced
>Authentication on the Idp side (I am not sure how to notify exactly the
>logout event to the Idp) or any other way.

ForceAuthn is a different, perhaps related, issue. But it is not logout.

-- Scott

More information about the users mailing list