SP - Global Logout Feature question...
Dennis Fazekas
Dennis_Fazekas at SHI.com
Wed Sep 5 11:45:30 EDT 2018
Greetings Scott,
We are using Shibboleth v2.6.1 and I got the information from this URL:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator
As an experiment I added the following line, but that obviously didn't work. :)
<LogoutInitiator type="Global" />
Is the following line still valid?
<Logout>SAML2 global</Logout>
If the IdP's metadata has the following SingleLogoutService would that mean they support IdP logoff or does that mean something else?
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.abc123.com/adfs/ls/"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.abc123.com/adfs/ls/"/>
Thanks for all your help.
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, September 05, 2018 11:12 AM
To: Shib Users <users at shibboleth.net>
Subject: RE: SP - Global Logout Feature question...
> We are using the SP Shibboleth software for SSO. Recently we got a
> requirement to Logout a user on the IDP side. I thought this would be
> easy by using the following settings in the Shibboleth2.xml file.
I don't know where you got any of that, but there's certainly nothing called "Global". SAML2 is the only global logout protocol supported. Local is the plugin that is separately implemented from the SAML2 case. There is no such plugin as "Global". Furthermore you're duplicating. The Logout element already defines the LogoutInitiator chain you're manually creating.
> For the logout we send the user to "/Shibboleth.sso/Logout" and they
> are only being logged out "Locally" and never being sent over to the IDP for logout.
Then you corrupted the configuration or the IdP doesn't support SAML logout. Most don't.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list