SP - Global Logout Feature question...

Dennis Fazekas Dennis_Fazekas at SHI.com
Wed Sep 5 11:38:21 EDT 2018

Greetings Nate,

Thank you for getting back to me.

I do see the following endpoints in the metadata. (the location was modified for this sample)

        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.abc123.com/adfs/ls/"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.abc123.com/adfs/ls/"/>

We are currently using Shibboleth v2.6.1. Do you recommend we upgrade to version 3? If so, will the existing configuration file continue working or do they require changes?

Do you think the global logout isn’t working because of our existing Shibboleth version?

Thanks again for your help.

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Nate Klingenstein
Sent: Wednesday, September 05, 2018 11:15 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: SP - Global Logout Feature question...


The most likely explanation is that your IdP doesn't have any SAML SingleLogoutService endpoints in its metadata.

I don't know if you're running SP 3 yet, but if so, the documentation is here:


You shouldn't need any further configuration of the Logout element in the SP beyond listing SAML2, and the LogoutInitiator configuration is probably redundant and unnecessary.  I don't know of any "global" configuration parameter.

If you're willing to go on a beta adventure, I can refer you to a new SAML testing service I've been building at https://samltest.id/ which does support front-channel SAML logout.  You can register your SP there and try logging in and out of the IdP.  The logout page at the IdP hasn't been skinned yet, but it is fully functional.

Take care,

On Wed, Sep 5, 2018 at 2:28 PM, Dennis Fazekas <Dennis_Fazekas at shi.com<mailto:Dennis_Fazekas at shi.com>> wrote:

We are using the SP Shibboleth software for SSO. Recently we got a requirement to Logout a user on the IDP side. I thought this would be easy by using the following settings in the Shibboleth2.xml file.

            <Logout>SAML2 global</Logout>
            <LogoutInitiator type="Chaining" Location="/Logout">
                <LogoutInitiator type="Global" />
                <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
                <LogoutInitiator type="Local" />

As listed is our current settings. I’ve tried “Global” too…

For the logout we send the user to “/Shibboleth.sso/Logout” and they are only being logged out “Locally” and never being sent over to the IDP for logout.

It’s probably something stupid I am missing, but I cannot seem to locate the issue. If anyone could help me get this working I would greatly appreciate it.

Thank you!

Dennis Fazekas  |  Cloud and Innovative Solutions (CIS) | Technical Lead

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180905/c7d7e829/attachment.html>

More information about the users mailing list