Configuring return URL on Logout

Peter Gillard-Moss pgillard at thoughtworks.com
Wed Jun 18 07:01:19 EDT 2014


Thanks for the quick response Peter.  Perhaps let's talk in terms of goals
instead.

In order to keep our applications simple and ensure security (as in we know
they're not using some poorly written SAML gem) we front our app with
mod_shib.  The apps themselves no nothing of SSO or auth, no sessions etc.
etc..  They are completely dumb and wholly on Shibboleth to "do the right
thing".

So, in our apache config we have mod_proxy at / and mod_shib at /sso

In terms of logout we wish the user to be able to initiate a logout
sequence from the app.  The first step (when the user clicks 'Log out') is
to instruct Shibboleth to logout of the app locally.  We do this with a
hyperlink to /sso/Logout (which goes to mod_shib).  We are trusting that
Shibboleth 'does the right thing' here and expires the session.

To continue the logout sequence we then wish to redirect to the IdP.  The
IdP can then display its status with a clear message that you are still
logged in at a global level and give a clear option to logout globally.
 Now, we understand the caveats of the fact that other individual apps may
or still have session active etc. but that is an entirely different avenue
from my OP.  For the moment, 'the best' we can do is display messages and
make it clear to the user what is going on.

Another reason for local logout is so, if the IdP has been logged out, but
the Shibboleth session is still active, the user can still initiate logout
from our app.

So at the moment we are achieving this with a link to /sso/Logout?return=
http://IdP/status.  For a number of sound reasons we *don't* want the
application to be in control of the return URL (we don't want them to even
know of its existence).  We want this to be configured in Shibboleth once
and the exact same configuration passed to all apps.

Does the above make sense?  Happy to be advised on methods of improving the
above.

Peter


On 18 June 2014 10:13, Peter Schober <peter.schober at univie.ac.at> wrote:

> * Peter Gillard-Moss <pgillard at thoughtworks.com> [2014-06-18 10:56]:
> > We need to provide local logout and we are using the URL /Logout
> > successfully.  However we wish to redirect to the IdP which displays a
> > status page of your SSO status and the status of applications logged
> into.
> >  It also gives a clear logout button.
>
> "Need" local logout is weird in itself, but combining that requirement
> (local logout == don't tell the IDP about it) with a page at the IDP
> that claims to be able to track SSO status and logged out applications
> is "interesting".
>
> > >From the documentation we can't decipher how to configure shibboleth to
> > redirect to our URL.  The only thing we've found is to put the URL as a
> > value to the return query string parameter.  We would far prefer to
> > configure this within Shibboleth thus allowing applications to be
> > completely ignorant (and avoid people getting it wrong, allowing it to
> > change etc.).
>
> "People" meaning SP administrators, right? Because end users will
> always be able to do whatever they want with URLs you present them.
>
> I don't think there's a way to do that. Either way it would be
> something the SP or websever admin would have to configure herself
> anyway. And a simple Redirect directive in httdp would achieve that,
> no? Are you asking this specifically because you intend to generate
> shibboleth2.xml files for SPs of yours? That's the only use-case I
> can imagine where having something inside shibboleth2.xml could save
> the admin this one step.
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>



-- 
Peter Gillard-Moss
Developer | ThoughtWorks | TechOps
http://www.thoughtworks.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140618/9e03ee55/attachment.html 


More information about the users mailing list