logout and misc Qs --shib idp

Cantor, Scott cantor.2 at osu.edu
Mon Nov 5 16:39:37 EST 2012

On 11/5/12 4:28 PM, "Steven Carmody" <Steven_Carmody at brown.edu> wrote:
>we've deployed a page at our IDP that will delete the IDP's session
>SPs can choose to redirect the user to this page if a user clicks LOGOUT
>at the SP site (after deleting all session cookies at the SP)
>I believe there's also a version of the IDP page that asks the user
>whether or not they want to destroy the session at the IDP.
>Would an approach like this address concerns from these SP operators ?

When they say yes, they're usually confused. They're thinking "sure, if
you logout of *me*, then I'm safe". But then you point out "what if they
log out of somebody else's app?" and they realize they're not getting

And then, there's the problem of what you're supposed to say when this
process is done.

That's why Chad and I spent years going back and forth over whether it's a
good idea or not, and mostly sidestepped it because it's trivial to build
in a CGI script so people could decide for themselves.

-- Scott

More information about the users mailing list