Selective Single Logout Propagation

Cantor, Scott cantor.2 at
Thu May 11 17:03:39 EDT 2017

> When we set this up it works great for all of the SPs that support the
> SingleLogoutService.  Unfortunately, since not all SPs support this our users
> will see an error when logging out (most notably for us with Google Apps).

Well, they should see a red X. You can't avoid that unless you take the tack (which I basically do) that it needs to be changed to hide all the results since the answer in any given case is pretty much always "sort of logged out of some stuff". The community has indicated that it doesn't all agree on that answer so the answer for now is that it needs to get much more flexible and configurable.

>  Is there a way to configure the logout propagation so that if the
> SingleLogoutService is not defined in the metadata then it does not even
> attempt to propagate the logout?

It doesn't attempt to. That doesn't change the outcome, logout to that service still didn't happen. Perhaps you're misunderstanding the meaning of the UI, or perhaps you're of a mind to agree with my opinion on it. Or I'm misremembering what it does, but that's my recollection and certainly it was the intent. It's not displaying services it thinks you can logout of, it's meant to be displaying every service it knows about, and then telling you if it could logout (according to the protocol telling it that it did).

Also, that UI is not 508 compliant, like at all. If you're a public, you probably need to be aware of that. That's another reason I want to hide it, because I don't know how to make it compliant.

-- Scott

More information about the users mailing list