Just logging out of Shibboleth

Peter Schober peter.schober at univie.ac.at
Thu May 21 04:12:44 EDT 2015

* Ranil De Silva <ranil.desilva at industrieit.com> [2015-05-21 02:06]:
> One of the problems is that when an user authenticates with Shibboleth but
> doesn't have permissions for the application itself. The issue here is that
> because the user can't get into the application, they can't logout (and
> hence logout of Shibboleth). And without being able to logout of Shibboleth
> they can't enter new credentials (assume they have a second set of
> credentials) to get into the application.

I don't think user switching (using the same browser) will work

> Is there a way of just logging out of Shibboleth directly in this instance.
> I have been trying the idp/Profile/Logout by calling
> https://<site>/idp/Profile/Logout
> without any args and although it goes to the logout page, it doesn't seem
> to be clearing the necessary sessions.

>From the above it seems you want to logout from the SP first, so try
/Shibboleth.sso/Logout on the SP and se whether that gets you to the
IDP with a logout request.

As for clearing any HTTP cookies in the IDP with a non-SAML request
people added scripts of any kind to the IDP webserver to clear clear
out (i.e., overwrite with ax expirey date in the past) any cookies set
by the IDP. Something like that may have been included in the IDP
later, I can't recall, but it would be trivial to code up a page like
that yourself.

And of course the usual suggestions always apply: Close the browser,
or start a new window in Privte Browsing Mode, that doesn't share
state with the main browser window/process.

More information about the users mailing list