Verständnisfrage zur Reihenfolge beim Logout

[Martin Lunze]

Hello Peter,

excuse me for writing in german.
Of course i will repeat my questions in english.
It's not the best english, but i hope you and the others will
understand.

I have some questions about the logout-process, specifically about the
different redirects in the background.

I have two service providers (SP) working together with one and the same
identity provider (IdP).
Both SP has implemented a logout-button using the following URL to
initiate a logout-process on the side of SP.

/Shibboleth.sso/Logout

After pressing the logout-button on SP 1, the user will be redirected to
the IdP, where he can see those Logout.jsp.
I have edited the logout-site of the IdP so the user get shown all SP
where he logged in during the last session.

At this point the user is logged out from the SP and the IdP.
I have tested this.

Let us assume the user is logged in again.
Pressing the logout-button on the SP 2 will end up in the following
situation.

The user gets shown the logout-site of the SP 2.
/Shibboleth.sso/SLO/Redirect?SAMLResponse=...

Here he is logged out from SP and IdP, too.
Also tested.

Both SP have similar Logout-URL's in their metadata-files.

To test at which position the user is redirected to which URL at the SP
and IdP i have installed firebug for mozilla.
Since i am no expert in using firebug, i couldn't collect much
information.

I recognized that in both situations the user is redirected to the
logout-url of the IdP. Logical, because of the destroyed session at the
side of IdP.

But the problem now, only in one situation the user is reredirected back
to the SP after logging out at IdP.
If i understood correctly, this behaviour is a so called SAMLResponse,
because the SP send a SAMLRequest and want to know if the logout-process
on IdP side was successfull or not?!

Now i want to know at which position i can manage these behaviour.
Is it a configuration in the Shibboleth2.xml of the SP or its metadata?

Maybe somebody can explain me what other reactions can happen?
I also want to know how you are using logout.

If i am right, the user is only logged out at IdP side and at the side
of the SP, which has initiated the logout and NOT logged out from all SP
he logged in.
Thats why i would prefer that the logout-site of the IdP is the last
site the user gets shown, in every case!
So he can see where he is/was logged in and has the opportunity to log
out from the other SP.

I would be glad if we could speak about the different reactions and
redirects.

With nice regards

Am Montag, den 29.07.2013, 15:21 +0200 schrieb Peter Schober:
> * Martin Lunze <martin.lunze at tu-dresden.de> [2013-07-29 15:11]:
> > Hallo alle zusammen,
> 
> Die Listensprache ist Englisch.  Wenn das ein massives Problem
> darstellt, könnten wir wenige E-Mails wohl auch auf Deutsch behandeln.
> Anderenfalls würde ich Deine Anfrage entweder auf Englisch beantworten
> oder Du stellst die Frage nochmal auf Englisch (dann könnten auch jene
> antworten, die des Deutschen nicht mächtig sind, wie etwa die
> Entwickler der Software).
> Alternativ kannst Du die Frage freilich auch an die DFN-AAI
> Mailinglist https://www.aai.dfn.de/mailinglisten/ richten, oder die
> Hotline https://www.aai.dfn.de/kontakt/ damit befassen.
> -peter
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-- 
MfG
Martin Lunze

Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen
Trefftz-Bau, HRSK 151
Zellescher Weg 12-14
01062 Dresden

+49 351 463-35881
martin.lunze at tu-dresden.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6160 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20130730/a535f1ed/attachment-0001.bin