Shibboleth Logout behavior
cantor.2 at osu.edu
Mon Nov 10 19:38:26 EST 2014
On 11/10/14, 10:57 PM, "Atul Bhagwat" <atulabhagwat at gmail.com> wrote:
>I have tried it using Logout methods provided LOCAL and SAML2. I couldn't
>figure out a way to make a particular SP as a main application.
Logout is between IdP and SP, not SP and SP. The IdP is brokering whatever
happens after a logout is requested, and Shibboleth does not support that
brokering anyway, so I don't see the relevance unless you're using some
other software. Assuming that's the case...
You can't use the routine configuration and support SAML logout inbound
but prevent it from issuing logout requests outbound. Making it initiate
local logout only but respond to SAML logout from another system would
require elaborately configuring things using the old manual syntax for
configuring handlers and endpoints.
One option is to get rid of any logout endpoints in A's metadata, which
will prevent the IdP from ever sending it a logout if B or C requests one.
Another is to use the standard configuration on all of them, but add a
custom LogoutInitiator handler of type="Local" at some special location
and send the browser to do a local-only logout.
More information about the users