logout and misc Qs --shib idp
Michael A Grady
mgrady at unicon.net
Mon Nov 5 17:11:19 EST 2012
And I think U Chicago has the best documentation on this approach that I've been able to find, even though it is labeled as a "proposal" and not what was being done yet in production. I think one thing in the short-term that would be useful to the community are a few more samples/examples of what various institutions have done with an IdP-associated page to remove the IdP session and put out some message about what has *not* been logged out of and what one can try to do to ensure one logs out of remaining stuff also (although, since the "exit all tabs/windows/browser is getting less and less effective, what one says exactly is getting harder to figure out).
USC also had an interesting approach to logging users out of some of the local SSO-protected apps that one might use Shib for; I don't know if they are still using that or not. (Russ and/or Brendan?) I know they had shared a sample back when Illinois was first setting up Shib for use with Google, and Google allowed one to register a URL to send the user to after logging out of GAE. That was a page presented by the IdP that included a number of images, with each image invoking the Logout page of one of their SPs. I don't think (at least at the time) that they tracked which of those SPs you might have invoked during your browser session, they just picked a set of the "most sensitive" (my words/characterization, not theirs!).
On Nov 5, 2012, at 3:49 PM, David Langenberg wrote:
> On Mon, Nov 5, 2012 at 2:28 PM, Steven Carmody <Steven_Carmody at brown.edu> wrote:
>> On 11/5/12 2:29 PM, David Langenberg wrote:
>>> +++1 here too. The lack of any sort of official logout support
>>> (closing the browser does not count when talking to most prospective
>>> SPs) is the single biggest problem I have in getting new projects to
>>> choose Shibboleth over legacy authentication.
>> we've deployed a page at our IDP that will delete the IDP's session cookie.
>> SPs can choose to redirect the user to this page if a user clicks LOGOUT
>> at the SP site (after deleting all session cookies at the SP)
>> I believe there's also a version of the IDP page that asks the user
>> whether or not they want to destroy the session at the IDP.
>> Would an approach like this address concerns from these SP operators ?
> I thought it would and I even wrote such a feature into our standard
> logout page, however, The Powers That Be decided it was a hack and
> that we'd wait until the shib project came out with their official
> David Langenberg
> Identity & Access Management
> The University of Chicago
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
Michael A. Grady
Senior IAM Consultant, Unicon, Inc.
More information about the users