Forcing logout with NativeSP

[Cantor, Scott]

On 9/30/11 12:21 AM, "Stephen Chan" <sychan at lbl.gov> wrote:
>    
>       This app does have a logout hook, and it was very useful for
>    calling the session logout code for SimpleSAMLPHP. I'd like to
>    convert the app to the native SP and use the same hook, however a
>    browser redirect introduces a lot more side effects than was
>    originally planned for this logout hook. I can still use the hook, I
>    just wanted to explore other options - such as expiring the SP
>    session before even calling the CMS logout code.

Expiring the session is basically just the cookie. You could walk the set
of cookies supplied to the page and clear them all. Or perhaps everything
but the set your CMS is managing. I wouldn't ever document those cookies
explicitly, but if you based it on the set that the client happened to
supply you, clearing those would be guaranteed to include the SP cookie.

I don't think a feature that "protects" a URL with a logout is something
very many people would use, but if you had in mind something like:

<Location /applogout>
AuthType shibboleth
ShibRequestSetting requireLogout /applogout
require shibboleth
</Location>

i.e. If a session exists, redirect to default LogoutInitiator with
"return" set to the final parameter, otherwise pass request through.

That would be fairly simple to add. Weird, but not a major undertaking.

But honestly I'm not sure a rewrite isn't just as simple, and it works
now, with all SP versions.

-- Scott