Logout of O365/Shib/CAS

Cantor, Scott cantor.2 at osu.edu
Mon May 4 17:26:03 EDT 2015

On 5/4/15, 4:49 PM, "Benjamin Cherian" <benjamin.cherian at villanova.edu> wrote:

>Currently when we try to logout of office dev, it returns an error, because it is trying to use Shibboleth's logout URL, which returns an error, because. At that point the end user is not logged out of CAS or O365. We can try to redirect to the CAS logout page, but that doesn't log them out of the O365 portal.
>What is the correct way to logout of CAS and logout of ADFS/O365? Is there a JSP or other code I should edit to sent them to CAS? Is there a way to specify in the SAML response that it is not an error?

You'd want to catch the logout at the SP end before it attempts a SAML Logout to the IdP (which one of the responders suggested might be possible). If it gets to the IdP, all other things aside, the IdP will end up responding to ADFS without a failure status since the SAML portion failed, and one of the nasty bugs in ADFS is that it doesn't perform the logout on its end before sending the LogoutRequest to the IdP, only after. That's very dumb, since any failure at the other end will leave the user signed into the ADFS end, needlessly.

I wasn't aware of that until a vendor actually forced me to accomodate a SAML Logout for their broken app, and I realized that short of a perfect response to ADFS, it wasn't completing the logout. Even sending the PartialLogout substatus, which is the most likely true result of any logout request, was enough to leave the user signed in. Very bad.

-- Scott

More information about the users mailing list