SP - Global Logout Feature question...

Nate Klingenstein ndk at sudonym.me
Wed Sep 5 13:11:20 EDT 2018 

No problem, but note that Scott was right in his correction of me.  I was looking at the URL’s and not the bindings due to connectivity issues(in the middle of moving) and a cracked iPhone, derp herp.

Still, I’d advise upgrading, checking the logs to see what’s happening, and testing with an IdP that is known to handle logout.

Best,
Nate.

Semt frim mt iPone

> On Sep 5, 2018, at 11:05 AM, Dennis Fazekas <Dennis_Fazekas at SHI.com> wrote:
> 
> Greetings Nate,
>  
> Thanks again for all the excellent information. I will investigate upgrading to the latest 3x version of Shibboleth. I think that will be my first best step, then I will investigate the ADFS link further.
>  
> Greatly appreciated!
>  
> Dennis
>  
>  
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Nate Klingenstein
> Sent: Wednesday, September 05, 2018 12:04 PM
> To: Shib Users <users at shibboleth.net>
> Subject: Re: SP - Global Logout Feature question...
>  
> Dennis,
>  
> I would recommend upgrading to 3 anyway because that is the supported version.  There is a page that describes the process:
>  
> https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2
>  
> and your old configuration would probably work; there are nuances that are discussed in detail in the Wiki.
>  
> But all of that is tangential to the more likely issue, which is that those appear based on the paths to be ADFS logout endpoints rather than SAML 2.0 logout endpoints.  It is possible to configure a 3.x SP to handle ADFS logout, but I have no hands-on experience with ADFS logout nor its configuration at all.
>  
> https://wiki.shibboleth.net/confluence/display/SP3/ADFS+LogoutInitiator
>  
> You'd need to either expose SAML 2.0 SLO endpoints or get ADFS logout working.
>  
> Hope this helps,
> Nate.
>  
> On Wed, Sep 5, 2018 at 3:38 PM, Dennis Fazekas <Dennis_Fazekas at shi.com> wrote:
> Greetings Nate,
>  
> Thank you for getting back to me.
>  
> I do see the following endpoints in the metadata. (the location was modified for this sample)
>  
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.abc123.com/adfs/ls/"/>
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.abc123.com/adfs/ls/"/>
>  
> We are currently using Shibboleth v2.6.1. Do you recommend we upgrade to version 3? If so, will the existing configuration file continue working or do they require changes?
>  
> Do you think the global logout isn’t working because of our existing Shibboleth version?
>  
> Thanks again for your help.
>  
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Nate Klingenstein
> Sent: Wednesday, September 05, 2018 11:15 AM
> To: Shib Users <users at shibboleth.net>
> Subject: Re: SP - Global Logout Feature question...
>  
> Dennis,
>  
> The most likely explanation is that your IdP doesn't have any SAML SingleLogoutService endpoints in its metadata.
>  
> I don't know if you're running SP 3 yet, but if so, the documentation is here:
>  
> https://wiki.shibboleth.net/confluence/display/SP3/Logout
>  
> You shouldn't need any further configuration of the Logout element in the SP beyond listing SAML2, and the LogoutInitiator configuration is probably redundant and unnecessary.  I don't know of any "global" configuration parameter.
>  
> If you're willing to go on a beta adventure, I can refer you to a new SAML testing service I've been building at https://samltest.id/ which does support front-channel SAML logout.  You can register your SP there and try logging in and out of the IdP.  The logout page at the IdP hasn't been skinned yet, but it is fully functional.
>  
> Take care,
> Nate.
>  
>  
>  
> On Wed, Sep 5, 2018 at 2:28 PM, Dennis Fazekas <Dennis_Fazekas at shi.com> wrote:
> Greetings,
>  
> We are using the SP Shibboleth software for SSO. Recently we got a requirement to Logout a user on the IDP side. I thought this would be easy by using the following settings in the Shibboleth2.xml file.
>  
>             <Logout>SAML2 global</Logout>
>             <LogoutInitiator type="Chaining" Location="/Logout">
>                 <LogoutInitiator type="Global" />
>                 <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
>                 <LogoutInitiator type="Local" />
>             </LogoutInitiator>
>  
> As listed is our current settings. I’ve tried “Global” too…
>  
> For the logout we send the user to “/Shibboleth.sso/Logout” and they are only being logged out “Locally” and never being sent over to the IDP for logout.
>  
> It’s probably something stupid I am missing, but I cannot seem to locate the issue. If anyone could help me get this working I would greatly appreciate it.
>  
> Thank you!
>  
> Dennis Fazekas  |  Cloud and Innovative Solutions (CIS) | Technical Lead
>  
> 
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>  
> 
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>  
> -- 
> 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180905/05cadaca/attachment.html>

More information about the users mailing list