SP - Global Logout Feature question...

Cantor, Scott cantor.2 at osu.edu
Wed Sep 5 11:12:23 EDT 2018

> We are using the SP Shibboleth software for SSO. Recently we got a
> requirement to Logout a user on the IDP side. I thought this would be easy by
> using the following settings in the Shibboleth2.xml file.

I don't know where you got any of that, but there's certainly nothing called "Global". SAML2 is the only global logout protocol supported. Local is the plugin that is separately implemented from the SAML2 case. There is no such plugin as "Global". Furthermore you're duplicating. The Logout element already defines the LogoutInitiator chain you're manually creating.
> For the logout we send the user to "/Shibboleth.sso/Logout" and they are only
> being logged out "Locally" and never being sent over to the IDP for logout.

Then you corrupted the configuration or the IdP doesn't support SAML logout. Most don't.

-- Scott

More information about the users mailing list