SP - Global Logout Feature question...
Dennis_Fazekas at SHI.com
Wed Sep 5 11:45:30 EDT 2018
We are using Shibboleth v2.6.1 and I got the information from this URL:
As an experiment I added the following line, but that obviously didn't work. :)
<LogoutInitiator type="Global" />
Is the following line still valid?
If the IdP's metadata has the following SingleLogoutService would that mean they support IdP logoff or does that mean something else?
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.abc123.com/adfs/ls/"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.abc123.com/adfs/ls/"/>
Thanks for all your help.
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, September 05, 2018 11:12 AM
To: Shib Users <users at shibboleth.net>
Subject: RE: SP - Global Logout Feature question...
> We are using the SP Shibboleth software for SSO. Recently we got a
> requirement to Logout a user on the IDP side. I thought this would be
> easy by using the following settings in the Shibboleth2.xml file.
I don't know where you got any of that, but there's certainly nothing called "Global". SAML2 is the only global logout protocol supported. Local is the plugin that is separately implemented from the SAML2 case. There is no such plugin as "Global". Furthermore you're duplicating. The Logout element already defines the LogoutInitiator chain you're manually creating.
> For the logout we send the user to "/Shibboleth.sso/Logout" and they
> are only being logged out "Locally" and never being sent over to the IDP for logout.
Then you corrupted the configuration or the IdP doesn't support SAML logout. Most don't.
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users