Logout of O365/Shib/CAS
Cantor, Scott
cantor.2 at osu.edu
Mon May 4 17:40:06 EDT 2015
On 5/4/15, 5:30 PM, "Rhian Resnick" <rresnick at fau.edu> wrote:
>I can confirm this is our experience. Our experience.
>
>User in Outlook.com clicks logout.
>Browser directs to /logout.aspx
>Logout.aspx sends logout to Shibboleth
>Shibboleth logout may fail. If it does the user may be redirected (and authenticated) back in to outlook.com
>
>We love this feature so much.
That, at least, is just an outright bug. Obviously you might be left signed into the IdP and if it goes back there, that's a Shibboleth failing (well, it's a web failing, but whatever), but what I found is that it doesn't need to go back to the IdP, it just leaves you signed into the app afterward.
With any SAML SP, the first and primary responsibility in requesting a logout is to destroy the local session before it ever sends a request to the IDP. Failure there should never leave the session that initiated the logout intact. When it did this even upon returning a successful LogoutResponse with a PartialLogout substatus, I was pretty dumbfounded that anybody hadn't noticed that in this amount of time.
-- Scott
More information about the users
mailing list