Shibboleth logout URL redirect
Cantor, Scott
cantor.2 at osu.edu
Wed Dec 30 12:05:11 EST 2015
On 12/30/15, 11:24 AM, "users on behalf of Ovidius" <users-bounces at shibboleth.net on behalf of alex at dima.to> wrote:
>
>So, ideally I would like to redirect to /idp/profile/Logout and, as far as I
>understood, I should be able to supply a query string parameter to redirect
>to a different URI, or am I wrong in thinking this?
The latter (i.e., yes, you're wrong in thinking that). The non-SAML endpoint in the IdP is proprietary, it isn't a protocol you can rely on. It has no parameters. It produces a view template and if you want to end up somewhere else, you can modify the view template to do so.
>I have tried this: /idp/profile/Logout?return=www.google.com but it does not
>redirect after logging me out of the identity server and I am stuck on the
>Shibboleth logout page unless I hit the back button on my browser.
To be fair, if it did that blindly, it would be an open redirector.
The SP has functionality of this sort, and by default it does end up operating as an open redirector, causing people to complain. Limiting the redirection it allows is a feature you have to enable.
The IdP has no such functionality so turning it into an open redirector is entirely a deployer's choice. But that's a really bad idea for an IdP to be doing that. The potential for abuse is pretty large.
-- Scott
More information about the users
mailing list