logout and misc Qs --shib idp

Cantor, Scott cantor.2 at osu.edu
Mon Nov 5 09:36:10 EST 2012

On 11/5/12 9:25 AM, "Kevin P. Foote" <kpfoote at iup.edu> wrote:
>On Mon, 5 Nov 2012, ci_98yr wrote:
>-> 1. What is being currently used for logout? It now appears that SSO
>has been
>-> solved
>-> but SLO or Limited LO (selective log out) has been left out. For a
>-> what is the quickest option
>-> to get log out option implemented?
>General consensus is don't.

Maybe a slightly softer view: we haven't figured out how given the
application complexities and tried to explain why.

I just fixed one issue in the SP for 2.5.1, which was the requirement to
have access to the session cookie to do a front-channel logout. But the
problem with that "fix" is that if you don't have access to it, any app
that's not using or checking the SP session itself will not have access to
its own cookie(s), and then you're back where you started.

>Here if apps have a "logout" button page or whatever, the link goes back
>to an IdP page stating the user should close their browser. This is
>currently the simplest and most universally supported way to end the IdP

Unfortunately we know this no longer really works in a large set of cases.

I think a checkbox during login to bypass SSO on shared machines is a
fairly crucial feature at this point to at least allow users with clue to
protect themselves.

>You can additionally use some JSP at this page to remove / expire the
>shib related cookies.

Time permitting, we will still be looking at trying to build an IdP-only
logout mechanism that formally clears that state using the standard
protocol. Chad had planned to before he left the project, and I still hope
to pick up that work.

-- Scott

More information about the users mailing list