Shibboleth logout URL redirect

Cantor, Scott cantor.2 at
Wed Dec 30 12:05:11 EST 2015

On 12/30/15, 11:24 AM, "users on behalf of Ovidius" <users-bounces at on behalf of alex at> wrote:

>So, ideally I would like to redirect to /idp/profile/Logout and, as far as I
>understood, I should be able to supply a query string parameter to redirect
>to a different URI, or am I wrong in thinking this?

The latter (i.e., yes, you're wrong in thinking that). The non-SAML endpoint in the IdP is proprietary, it isn't a protocol you can rely on. It has no parameters. It produces a view template and if you want to end up somewhere else, you can modify the view template to do so.

>I have tried this: /idp/profile/Logout? but it does not
>redirect after logging me out of the identity server and I am stuck on the
>Shibboleth logout page unless I hit the back button on my browser.

To be fair, if it did that blindly, it would be an open redirector.

The SP has functionality of this sort, and by default it does end up operating as an open redirector, causing people to complain. Limiting the redirection it allows is a feature you have to enable.

The IdP has no such functionality so turning it into an open redirector is entirely a deployer's choice. But that's a really bad idea for an IdP to be doing that. The potential for abuse is pretty large.

-- Scott

More information about the users mailing list