SP - Global Logout Feature question...

Nate Klingenstein ndk at sudonym.me
Wed Sep 5 12:04:11 EDT 2018 

Dennis,

I would recommend upgrading to 3 anyway because that is the supported
version.  There is a page that describes the process:

https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2

and your old configuration would probably work; there are nuances that are
discussed in detail in the Wiki.

But all of that is tangential to the more likely issue, which is that those
appear based on the paths to be ADFS logout endpoints rather than SAML 2.0
logout endpoints.  It is possible to configure a 3.x SP to handle ADFS
logout, but I have no hands-on experience with ADFS logout nor its
configuration at all.

https://wiki.shibboleth.net/confluence/display/SP3/ADFS+LogoutInitiator

You'd need to either expose SAML 2.0 SLO endpoints or get ADFS logout
working.

Hope this helps,
Nate.

On Wed, Sep 5, 2018 at 3:38 PM, Dennis Fazekas <Dennis_Fazekas at shi.com>
wrote:

> Greetings Nate,
>
>
>
> Thank you for getting back to me.
>
>
>
> I do see the following endpoints in the metadata. (*the location was
> modified for this sample*)
>
>
>
>         <SingleLogoutService Binding="urn:oasis:names:tc:
> SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.abc123.com/adfs/ls/
> "/>
>
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://sso.abc123.com/adfs/ls/"/>
>
>
>
> We are currently using Shibboleth v2.6.1. Do you recommend we upgrade to
> version 3? If so, will the existing configuration file continue working or
> do they require changes?
>
>
>
> Do you think the global logout isn’t working because of our existing
> Shibboleth version?
>
>
>
> Thanks again for your help.
>
>
>
> *From:* users [mailto:users-bounces at shibboleth.net] *On Behalf Of *Nate
> Klingenstein
> *Sent:* Wednesday, September 05, 2018 11:15 AM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Re: SP - Global Logout Feature question...
>
>
>
> Dennis,
>
>
>
> The most likely explanation is that your IdP doesn't have any SAML
> SingleLogoutService endpoints in its metadata.
>
>
>
> I don't know if you're running SP 3 yet, but if so, the documentation is
> here:
>
>
>
> https://wiki.shibboleth.net/confluence/display/SP3/Logout
>
>
>
> You shouldn't need any further configuration of the Logout element in the
> SP beyond listing SAML2, and the LogoutInitiator configuration is probably
> redundant and unnecessary.  I don't know of any "global" configuration
> parameter.
>
>
>
> If you're willing to go on a beta adventure, I can refer you to a new SAML
> testing service I've been building at https://samltest.id/ which does
> support front-channel SAML logout.  You can register your SP there and try
> logging in and out of the IdP.  The logout page at the IdP hasn't been
> skinned yet, but it is fully functional.
>
>
>
> Take care,
>
> Nate.
>
>
>
>
>
>
>
> On Wed, Sep 5, 2018 at 2:28 PM, Dennis Fazekas <Dennis_Fazekas at shi.com>
> wrote:
>
> Greetings,
>
>
>
> We are using the SP Shibboleth software for SSO. Recently we got a
> requirement to Logout a user on the IDP side. I thought this would be easy
> by using the following settings in the Shibboleth2.xml file.
>
>
>
>             <Logout>SAML2 global</Logout>
>
>             <LogoutInitiator type="Chaining" Location="/Logout">
>
>                 <LogoutInitiator type="Global" />
>
>                 <LogoutInitiator type="SAML2" template="bindingTemplate.
> html"/>
>
>                 <LogoutInitiator type="Local" />
>
>             </LogoutInitiator>
>
>
>
> As listed is our current settings. I’ve tried “Global” too…
>
>
>
> For the logout we send the user to “/Shibboleth.sso/Logout” and they are
> only being logged out “Locally” and never being sent over to the IDP for
> logout.
>
>
>
> It’s probably something stupid I am missing, but I cannot seem to locate
> the issue. If anyone could help me get this working I would greatly
> appreciate it.
>
>
>
> Thank you!
>
>
>
> Dennis Fazekas  |  Cloud and Innovative Solutions (CIS) | Technical Lead
>
>
>
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180905/3b1fd64c/attachment.html>

More information about the users mailing list