Shibboleth Logout behavior

Cantor, Scott cantor.2 at
Mon Nov 10 19:38:26 EST 2014

On 11/10/14, 10:57 PM, "Atul Bhagwat" <atulabhagwat at> wrote:

>I have tried it using Logout methods provided LOCAL and SAML2. I couldn't 
>figure out a way to make a particular SP as a main application.

Logout is between IdP and SP, not SP and SP. The IdP is brokering whatever 
happens after a logout is requested, and Shibboleth does not support that 
brokering anyway, so I don't see the relevance unless you're using some 
other software. Assuming that's the case...

You can't use the routine configuration and support SAML logout inbound 
but prevent it from issuing logout requests outbound. Making it initiate 
local logout only but respond to SAML logout from another system would 
require elaborately configuring things using the old manual syntax for 
configuring handlers and endpoints.

One option is to get rid of any logout endpoints in A's metadata, which 
will prevent the IdP from ever sending it a logout if B or C requests one.

Another is to use the standard configuration on all of them, but add a 
custom LogoutInitiator handler of type="Local" at some special location 
and send the browser to do a local-only logout.

-- Scott

More information about the users mailing list