Logout flow best practice

jaycnpl-cs at yahoo.com jaycnpl-cs at yahoo.com
Tue Jul 17 16:14:35 EDT 2018

When a user logs out,  I would like the user sessions to killed in my application, Shibboleth SP and IdP (external).  What's the best way to achieve this?  
1) logout link points to application.  Application kills session and redirects to SP, (/Logout),  SP redirects to IdP,  IdP responds back to SP2) logout points to SP (/Logout),  SP uses Notify to call  application logout,  (through front channel, but it could be back channel as well),  returns back to SP,  SP calls IdP, IdP kills session and responds back to SP. 
Both works, the second one has one additional hop, but since it uses Notify, it could be used for an IdP initiated SLO later.  The first one doesn't need Notify since the request comes directly to the application.   Is one preferable over the other?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180717/4723b014/attachment.html>

More information about the users mailing list