Forcing logout with NativeSP

[Stephen Chan]

On Thu, Sep 29, 2011 at 3:15 PM, Kevin P. Foote <kpfoote at iup.edu> wrote:
> Your location /Security/logout would be the page or code
> that would start your "local" logout.

   Yes, that is exactly what it is.

> What ever application code there would handle the removal of any
> application session and

   It does that now.

> then in an ideal world be able to land you at
> /Shibboleth.sso/logout?redirect="bla" taking care of removing your SP
> session as well..

   Sadly we are in a less than ideal world, and there are no
convenient hooks in the web app for me to installed a final redirect.
I could do it if I modified the core session handling of the
application, but I would like to avoid that.

   Do you know of a way to have the mod_shib module forward to the
logout handler and return? It does this for login, and I wonder if
there is a way to make it happen for logouts.

> At least that is what I recall. And the basics of how it happens in
> the apps we have done this for..

   I have tested the following configuration and it works, however it
seems somewhat brittle and I wanted something cleaner:

<Location /Security/login.php>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

<Location /Security/no-op.php>
  AuthType shibboleth
  ShibRequireSession Off
  require shibboleth
</Location>

<Location /Security/logout.php>
  AuthType shibboleth
  ShibRequireSession Off
  require shibboleth
</Location>

<Directory blah...blah...blah/Security>
RewriteEngine on
RewriteCond %{AUTH_TYPE}        =shibboleth
RewriteCond %{REMOTE_USER}      ^.+$
RewriteRule ^(logout\.php.*)
/Shibboleth.sso/Logout?return=https://me.mydomain.tld/Security/${ [R]
</Directory>

   It would be nice if that rewrite rule didn't have to be written for
every location - is there some support for this in the NativeSP?

   Steve