Michael A Grady
mgrady at unicon.net
Mon Nov 12 21:37:57 EST 2012
On Nov 12, 2012, at 6:09 PM, Andrew Morgan wrote:
> This will expire the 2 IDP cookies, invalidate the session, and redirect
> to the CAS logout page (we delegate auth to CAS).
If I may ask, if you delegate auth to CAS, why do you have the IdP keep a session in the first place? Why not turn off the PreviousSession Handler in the IdP, and have the only "SSO Session" be with the CAS Server? You still likely want a page After the CAS logout letting the user know what they have and haven't been logged out of, and what they can do to finish logging out of other things. (And you could similarly decide if you are automatically going to log the user out of the CAS Server, or give them the option of doing so.)
> To deploy this, stick it in the root of the WAR file. You can either use
> zip to add it to the WAR file or a better idea would be to put it in the
> src/main/webapp/ directory of your Shibboleth install directory.
> I found another interesting logout idea from NCSU:
> They provide multiple logout pages that have different behaviors. We may
> implement that here at OSU also.
> I don't know if this information would be worth putting in the wiki, but
> hopefully the next guy that needs to implement IDP logout will have a
> better starting point than I did!
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
Michael A. Grady
Senior IAM Consultant, Unicon, Inc.
More information about the users