httpd & Shibboleth SP: select logout handler based on Shib-AuthnContext-Class

Jakub Danek jakub.danek at
Wed Oct 23 05:33:22 EDT 2019


we are trying to solve the following problem:

We are running shibboleth SP 2 (migration to SP3 already scheduled) and
apache httpd as proxy to multiple applications. The IdP which we are using
(but we dont control it) is offering multiple authentication methods. For
all but one of them SLO works, for the one a SLO attempt results in SAML
Error message. Support claims the IdP is handling that particular
authentication differently and SLO is not possible.

So, for most authentication methods SLO works perfectly and is desired, for
single authentication method it results in user seeing an error page upon
logout. Such behaviour is not acceptable, thus we need to solve it somehow
on the SP side (which we control).

Our current idea is to create two Logout handlers, one for SAML2 SLO and
one for Local Logout. Apache httpd would provide single Logout endpoint
which would redirect to one of the handlers based on the
Shib-AuthnContext-Class. That way the behaviour is transparent to
applications protected by the SP and user. Unfortunately, I have not been
able to figure out if it is possible to access Shib-AuthnContext-Class
inside httpd request processing and perform redirect based on its value.

Is it possible? Or is there a better solution to the problem?

Also, am I correct in assuming that the IdP is actually misbehaving when
its metadata offer SLO endpoints, but they work only for some of the
authentication methods?

Thank you for any help.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list