Logout without closing the browser

Marvin Addison marvin.addison at gmail.com
Wed Dec 9 10:27:40 EST 2015

> Is it possible to logout without closing the browser?

Short answer: yes as of 3.2.0.
Long answer follows.

First, we need to clarify the meaning of "logout." I'll define it as
follows: the IdP session ends and the application sessions of all services
accessed during the SSO session are ended. That definition I would argue is
most consistent with user expectation. The first part is easy and the
second part, commonly called single logout (SLO), is surprisingly
difficult. SLO is new is 3.2.0.

SLO is and probably always will be a best-effort technology for most
protocols the IdP supports. As for the UI, we list all accessed services
and provide a clear indication of the result of attempting to logout of
each. For the SAML2 protocol, the reported result is accurate and can be
relied upon. For the CAS protocol, it is not strictly accurate due to
fundamental limitations in the protocol and current state of browser
security policy (i.e. CORS).

I have a TODO to write up documentation on logout capabilities in 3.2.0,
which your message prompts me to do. I'll post that to this thread when
it's completed.

>  We want to be able the logout and if the user returns go to the logout
> screen.

That's now how it works. If you logout of the IdP you'll get a page asking
whether you want to logout of everything (all services accessed during your
SSO session). Either way if you return to the IdP from a service whose
application session is ended, you'll be prompted to login in again. You
will not see the logout page; but I would argue it amounts to the same
thing: the user has to log in again.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151209/f62134bd/attachment.html>

More information about the users mailing list