Forcing logout with NativeSP

Kevin P. Foote kpfoote at iup.edu
Thu Sep 29 23:15:13 BST 2011 

Your location /Security/logout would be the page or code
that would start your "local" logout.

What ever application code there would handle the removal of any
application session and then in an ideal world be able to land you at
/Shibboleth.sso/logout?redirect="bla" taking care of removing your SP 
session as well..

At least that is what I recall. And the basics of how it happens in
the apps we have done this for..


On Thu, 29 Sep 2011 14:11:24 -0700
  Stephen Chan <sychan at lbl.gov> wrote:
>   Yes, I was in fact thinking of something just like that but it
> wasn't clear what, if any, set of directives would do the right 
>thing.
> 
>   I just tried it, and it does not seem to be clearing the shib
> session, I am getting the full list of Shib attributes as well as a a
> legit session ID. No redirect to the logout handler, and my session
> seems as healthy as ever.
> 
>   Was it supposed to work, or were you asking the question just foe
> clarification?
> 
>   Steve
> 
> On Thu, Sep 29, 2011 at 1:19 PM, Kevin P. Foote <kpfoote at iup.edu> 
>wrote:
>>
>> Are you looking for something like this?
>>
>>        <Location ~ "^/Security/logout">
>>                AuthType shibboleth
>>                ShibRequireSession Off
>>                require shibboleth
>>        </Location>
>>
>>
>> ------
>> thanks
>>  kevin.foote
>>
>> On Thu, 29 Sep 2011, Stephen Chan wrote:
>>
>> -> Hi,
>> ->    I'm working on shibboleth integration for a CMS we run and 
>>wanted
>> -> to get some suggestions for the best way to proceed.
>> ->
>> ->    There are 2 URL's used by the CMS to handle login and login,
>> -> /Security/login and /Security/logout. Using the native SP it is
>> -> straightforward to put a Shibboleth auth-type setting on
>> -> /Security/login and have all the appropriate attributes available 
>>to
>> -> be read by the web app.
>> ->
>> ->    The part that I would like advice on is how to handle logout. 
>>Is
>> -> there a way to configure Apache to require _no_ shibboleth session 
>>on
>> -> /Security/logout and have the Native SP module redirect to
>> -> /Shibboleth.sso/logout with a return URL? I would like for the
>> -> NativeSP shib session to be expired by the control returns to the 
>>CMS,
>> -> so that it can simply cleanup the CMS session.
>> ->
>> ->    The only way that comes to mind is to setup a mod_rewrite rule 
>>that
>> -> tests for auth_type being set to Shibboleth, and then redirecting 
>>to
>> -> /Shibboleth.sso/logout?return={original url} - but I was hoping 
>>for
>> -> something that was cleaner.
>> ->
>> ->     Thanks,
>> ->     Steve
>> -> --
>> -> To unsubscribe from this list send an email to 
>>users-unsubscribe at shibboleth.net
>> ->
>> --
>> To unsubscribe from this list send an email to 
>>users-unsubscribe at shibboleth.net
>>
> --
> To unsubscribe from this list send an email to 
>users-unsubscribe at shibboleth.net

------
thanks
  kevin.foote

More information about the users mailing list