logout and misc Qs --shib idp

Cantor, Scott cantor.2 at osu.edu
Tue Nov 13 15:23:46 EST 2012

On 11/13/12 3:08 PM, "William G. Thompson, Jr." <wgthom at gmail.com> wrote:
>That said, I believe there are more straight forward ways to implement
>the behavior described for user-controlled SSO opt-out and IdP-only
>logout mechanism (i.e. *not* SLO).

The only one that I know of that's self-contained is what I did, replacing
the IdP session with a cookie-based mechanism managed by a custom login
handler, along with disabling the PreviousSession handler to avoid any
cross talk.

Adding opt-out under user control to that isn't complex. More advanced
features like blocking SSO based on network address mask or something like
that isn't too hard but would get into additional configuration elements I
haven't looked at.

-- Scott

More information about the users mailing list