Single Logout

[Prog]

Hi,

the ASCII obviouly did not retain its layout. So i'll try to describe 
what i concluded.

Soap server in this case does not refer to one entity/machine, probably 
the term is misleading. Your application needs to implement a SOAP 
interface the Service Provider can send its Shibboleth Logout Request 
to. In the php code at the wiki site you can see an object of type 
SOAPServer is created, other languages may vary. Finally each 
application obviously has to implement such an interface. As described 
the next steps involve map Shibboleth session id to applications 
session, log this session out and report success or throw a SoapFault.

In case your application completely relies on Shibboleth sessions (ie 
does not have own sessions) you likely do not need to do the SOAP stuff, 
as logging out from the sp should suffice.

Please also note that you do not need the SOAP stuff as well if you do 
frontchannel logout. I did not dig in deeper into the front channel 
logout yet, just keep in mind that your users have to present their 
Shibboleth SP cookie on calls to the logout URL, which will probably 
never be the case if the logout is called eg in an iframe.

Finally keep in mind, that the user likely will still be authenticated 
at the IdP and other SPs.

If you want to implement global logout (logout user from all active 
sessions (IdP, SP, applications he authenticated to) things will grow 
more complicated rapidly or even impossible, depending strongly on your 
level of control over all the servers involved.


Regards,

Michael