Logout of O365/Shib/CAS

Rhian Resnick rresnick at fau.edu
Mon May 4 17:30:19 EDT 2015

I can confirm this is our experience. Our experience.

User in Outlook.com clicks logout.
Browser directs to /logout.aspx
Logout.aspx sends logout to Shibboleth
Shibboleth logout may fail. If it does the user may be redirected (and authenticated) back in to outlook.com

We love this feature so much. 

Rhian Resnick
Assistant Director Middleware and HPC
Office of Information Technology​

​Florida Atlantic University
777 Glades Road, CM22, Rm 218
Boca Raton, FL 33431
Phone 561.297.2647
Fax 561.297.0222
 ​ ​

From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Monday, May 04, 2015 5:26 PM
To: Shib Users
Subject: Re: Logout of O365/Shib/CAS

On 5/4/15, 4:49 PM, "Benjamin Cherian" <benjamin.cherian at villanova.edu> wrote:

>Currently when we try to logout of office dev, it returns an error, because it is trying to use Shibboleth's logout URL, which returns an error, because. At that point the end user is not logged out of CAS or O365. We can try to redirect to the CAS logout page, but that doesn't log them out of the O365 portal.
>What is the correct way to logout of CAS and logout of ADFS/O365? Is there a JSP or other code I should edit to sent them to CAS? Is there a way to specify in the SAML response that it is not an error?

You'd want to catch the logout at the SP end before it attempts a SAML Logout to the IdP (which one of the responders suggested might be possible). If it gets to the IdP, all other things aside, the IdP will end up responding to ADFS without a failure status since the SAML portion failed, and one of the nasty bugs in ADFS is that it doesn't perform the logout on its end before sending the LogoutRequest to the IdP, only after. That's very dumb, since any failure at the other end will leave the user signed into the ADFS end, needlessly.

I wasn't aware of that until a vendor actually forced me to accomodate a SAML Logout for their broken app, and I realized that short of a perfect response to ADFS, it wasn't completing the logout. Even sending the PartialLogout substatus, which is the most likely true result of any logout request, was enough to leave the user signed in. Very bad.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list