idp.session.enabled and shibboleth logout?

Cantor, Scott cantor.2 at osu.edu
Wed Jun 15 16:50:06 EDT 2016


On 6/15/16, 1:43 PM, "users on behalf of Liam Hoekenga" <users-bounces at shibboleth.net on behalf of liamr at umich.edu> wrote:

>I have seen suggestions from IdP v2 to turn off the previousSession handler if deferring
> authn to an external SSO.  I believe the equivalent in IdP3 would be setting
> idp.session.enabled to false.

Well, not exactly. I guess they overlap, but they certainly aren't the same thing. You can disable SSO in V3 by just using a really short authentication flow lifetime, but still have sessions.

The PreviousSession thing was sort of a weird hack that V2 used to implement SSO, but it's not really related to whether sessions are enabled or not. They're always on in V2.

>We're also interested in trying the updated SLO functionality in Idp 3.2.x, which appears
>to need session tracking enabled (so it knows which SPs to logout from).  Presumably that
>requires the IdP session layer be enabled?

Yes.

-- Scott





More information about the users mailing list