Logout flow best practice

Peter Schober peter.schober at univie.ac.at
Wed Jul 18 05:36:28 EDT 2018

* jaycnpl-cs at yahoo.com <jaycnpl-cs at yahoo.com> [2018-07-17 22:19]:
> When a user logs out,  I would like the user sessions to killed in
> my application, Shibboleth SP and IdP (external).

The problem is with ignoring other applications: What if your
SP/application isn't the last one accessed, where SLO is being
triggered?  What if that other SP doesn't support SLO (which is beyond
your control), or the IDP doesn't support it?

> 1) logout link points to application.  Application kills session and
> redirects to SP, (/Logout),  SP redirects to IdP,  IdP responds back
> to SP
> 2) logout points to SP (/Logout),  SP uses Notify to call 
> application logout,  (through front channel, but it could be back
> channel as well),  returns back to SP,  SP calls IdP, IdP kills
> session and responds back to SP. 

Is there even a choice to be made? You can (and should, if you want
SLO to "work") configure Notify and prepare your application for that
(by indexing app sessions with SAML sessions), and you can still point
your application links to a resource that removes the application
session first before triggering SAML SLO where it's your own resource
that triggers SLO, no?


More information about the users mailing list