Shibboleth Logout behavior
Atul Bhagwat
atulabhagwat at gmail.com
Wed Nov 12 02:24:30 EST 2014
Hi Scott,
Thanks for your reply. I am trying your suggestion. Can you explain bit
more on:
*Another is to use the standard configuration on all of them, but add a
custom LogoutInitiator handler of type="Local" at some special location and
send the browser to do a local-only logout.*
-Atul
On Mon, Nov 10, 2014 at 4:38 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 11/10/14, 10:57 PM, "Atul Bhagwat" <atulabhagwat at gmail.com> wrote:
>
>
> >
> >I have tried it using Logout methods provided LOCAL and SAML2. I couldn't
> >figure out a way to make a particular SP as a main application.
>
> Logout is between IdP and SP, not SP and SP. The IdP is brokering whatever
> happens after a logout is requested, and Shibboleth does not support that
> brokering anyway, so I don't see the relevance unless you're using some
> other software. Assuming that's the case...
>
> You can't use the routine configuration and support SAML logout inbound
> but prevent it from issuing logout requests outbound. Making it initiate
> local logout only but respond to SAML logout from another system would
> require elaborately configuring things using the old manual syntax for
> configuring handlers and endpoints.
>
> One option is to get rid of any logout endpoints in A's metadata, which
> will prevent the IdP from ever sending it a logout if B or C requests one.
>
> Another is to use the standard configuration on all of them, but add a
> custom LogoutInitiator handler of type="Local" at some special location
> and send the browser to do a local-only logout.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141111/06e7d60a/attachment.html
More information about the users
mailing list