Logout of O365/Shib/CAS

Michael A Grady mgrady at unicon.net
Mon May 4 23:37:13 EDT 2015

On May 4, 2015, at 4:52 PM, Benjamin Cherian <benjamin.cherian at villanova.edu> wrote:

> I believe in ADFS 3 there is no .asp file to edit because it does not use IIS. Microsoft support engineers have told our ADFS admins that there is no way to customize the logout flow in ADFS. We can customize some JS and I think configure a custom logout URL. 

Yes, with the switch to http.sys with ADFSv3, there is no direct access to those aspx files as there used to be. I have heard that most (all?) or those aspx files still exist, but they are embedded in dlls, and that one could use Visual Studio to extract, modify, and then re-insert "strings". Not an attractive approach.

But if you set the logout URL to go to the CAS logout, and then have that redirect the user back to a URL you create on the ADFS Server, you could probably get what you want. Install IIS, and have a simple .Net app that just clears any and all cookies for the ADFS service. (Windows can co-exist ADFS and IIS's use of :443 on the same IP Address.) Redirect to that after the CAS logout. Not elegant, but seems a better option than messing with the dlls. 

p.s. Of course, just like you disabled the SSO/session in Shib when deferring to CAS, you could do that  (presumably) with ADFS. But then you'd impact those users using clients that leverage WS-Trust, and are not getting sent on to the IdP, making them log in each time.

> -------- Original message --------
> From: Rhian Resnick
> Date:05/04/2015 5:30 PM (GMT-05:00)
> To: Shib Users
> Subject: Re: Logout of O365/Shib/CAS
> I can confirm this is our experience. Our experience.
> User in Outlook.com clicks logout.
> Browser directs to /logout.aspx
> Logout.aspx sends logout to Shibboleth
> Shibboleth logout may fail. If it does the user may be redirected (and authenticated) back in to outlook.com
> We love this feature so much. 
> Rhian Resnick
> Assistant Director Middleware and HPC
> Office of Information Technology​
> ​Florida Atlantic University
> 777 Glades Road, CM22, Rm 218
> Boca Raton, FL 33431
> Phone 561.297.2647
> Fax 561.297.0222
>  ​ ​

Michael A. Grady
Senior IAM Consultant, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150504/7d146e9e/attachment.html>

More information about the users mailing list