Synchronous SAML SLO

Martin Haase Martin.Haase at DAASI.de
Thu Dec 8 09:59:55 EST 2016 

Hi Scott,

Am 08.12.2016 um 15:25 schrieb Cantor, Scott:
>> this is a single IdP3.2.1, single SP 2.6. I set the LogoutInitiator for
>> the SP to asynchronous="false".
> One reason not to do that is that there really is no purpose to it anymore. That was why we defaulted to what we did. It was why we created the extension in fact.
>
>> Upon access to sp/Shibboleth.sso/Logout?return=XXX, the SP correctly does the SLO
>> request, the IdP returns a 200 with the "logout complete" view. Then in
>> SAML tracer, I can see a LogoutResponse being sent back to the SP, and a
>> GET request to XXX. However, what I *see* in the browser is still the
>> "logout complete" view i.e. the whole response logic seems to work
>> behind the scenes. How can this be?
> Because that is the only viable UI for single logout, the IdP has to maintain control to propagate the messages.
If there was only one SP, couldn't the IdP return control to the
initiating SP? Or actually, wouldn't a feature idp.logout.dontpropagate
make sense? I can imagine many SPs that want to terminate their and the
IdP's session, but cannot speak for other SPs.

Regards,
Martin

>> What I expected was the SP to report
>> the logout operation, and/or a return to XXX. I remember this used to
>> work with IdP 2.4 those days.
> The IdP didn't implement single logout before, now it does (or tries to).
>
> -- Scott
>

-- 
Dr. Martin Haase, Solutions Engineer

DAASI International GmbH        
Europaplatz 3                   
D-72072 Tübingen                
Germany                    

phone: +49 7071 407109-0
fax:   +49 7071 407109-9  
email: martin.haase at daasi.de
web:   www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2247 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20161208/f3f3e9c7/attachment-0001.p7s>

More information about the users mailing list