IDP logout.jsp

Andrew Morgan morgan at
Tue Nov 13 12:48:43 EST 2012

On Mon, 12 Nov 2012, Michael A Grady wrote:

> On Nov 12, 2012, at 6:09 PM, Andrew Morgan wrote:
>> This will expire the 2 IDP cookies, invalidate the session, and 
>> redirect to the CAS logout page (we delegate auth to CAS).
> If I may ask, if you delegate auth to CAS, why do you have the IdP keep 
> a session in the first place? Why not turn off the PreviousSession 
> Handler in the IdP, and have the only "SSO Session" be with the CAS 
> Server? You still likely want a page After the CAS logout letting the 
> user know what they have and haven't been logged out of, and what they 
> can do to finish logging out of other things. (And you could similarly 
> decide if you are automatically going to log the user out of the CAS 
> Server, or give them the option of doing so.)

Ignorance?  :)

If I turn off the PreviousSession Handler, will Shibboleth stop using the 
IDP cookie, or does the IDP cookie have another purpose?

I still haven't decided how to handle SSO logout in our environment. 
Based on what I read here and on the web, we may need some complicated 
verbiage on our logout page.  :(


More information about the users mailing list