ADFS Shibboleth question
Michael A Grady
mgrady at unicon.net
Thu Apr 3 16:15:58 EDT 2014
On Apr 3, 2014, at 2:57 PM, Cameron Kerr wrote:
> Another difficulty, not to be forgotten because it ends up being rather annoying, is logout. (to simplify matters, I'm only considering it with one IdP, not a federated logout).
>
> As an example, I have an IdP that integrates with an Oracle SSO (Webgate/OAM). In a way this is rather nice, because I get need to have my IdP cluster stateless, and if you have an OAM session, then you will automatically get an IdP session.
>
> However, I'm reluctant to move forward with it at the moment, because I need (particularly for shared devices such as Library kiosks -- and probably also things like loaner iPads) users to be able to click on a logout link an a protected application... that means the Application has to hook to the SP,
Is the SP or the application maintaining the session? If the app is maintaining its own session, "jump-started" by the SP, then set the SP session very short, and don't have the IdP maintaining a SSO session (PreviousSession handler off). Then all the app has to do is end its own session, and redirect the user to a URL/page you specify, which could be the Oracle SSO logout endpoint (assuming it has one.) Nothing to end at the SP or IdP.
Unless you mean you are trying to end all SP/app sessions for other services at the same time, in which case it does get complicated.
> which has to hook to the IdP, which has to hook to OAM, which then has to hook back to the application.
>
> Oh, and I need to make my IdP cluster stateful to get logout working...
>
>
> In my case, login was easy... logout may be a little more dreadful.
>
--
Michael A. Grady
University of Illinois at Urbana-Champaign (retired)
217-721-3890
--
Michael A. Grady
Senior IAM Consultant, Unicon, Inc.
More information about the users
mailing list