IDP logout customizations

Fri Apr 5 09:05:20 EDT 2019

Liam – we created custom .jsp files on our IDP that includes a series of logout calls to critical SPs only (financials, procurement, etc.), and clears one’s SSO session.  However, the practice is not sustainable as service owners update their service and/or SP the logout calls often 404.  

Thanks, Jay 

________________________________

Jason Rappaport

Identity and Access Management Analyst

Office of Information Technology

Email:   <mailto:jasonrap at princeton.edu> jasonrap at princeton.edu 

Office:  609-258-8464

From: users <users-bounces at shibboleth.net> On Behalf Of Liam Hoekenga
Sent: Thursday, April 4, 2019 5:16 PM
To: Shib Users <users at shibboleth.net>
Subject: IDP logout customizations

I'd like to talk to list members from institutions that have customized the logout behavior of IDP v3.

We're migrating from a legacy sso solution, and had previously "customized" the provided logout functionality to tie it into the SLO for our legacy solution (more "rip and replace" than customize).

After talking to our stakeholders, the desired behavior seems to be..

- logout of service provider (kill application and SP sessions)

- kill IDP session

- if service provided a redirect URL, send the user to that location

- user must log in again before they're able to access that service provider

I've been in touch with Minnesota and they have some stuff that looks promising, but also requires the alteration of the system logout flows.  I'd like to see what other places have done to try and figure out what we want to do.

thanks!

Liam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190405/eb497721/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5653 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20190405/eb497721/attachment.p7s>