How to configure single logout redirect
Nate Klingenstein
ndk at sudonym.me
Mon Jul 5 16:18:01 UTC 2021
Egobrc,
The coordinating entity in SAML 2.0 Logout is the IdP, whether
front-channel or back-channel. The goal is to ensure that all sessions
associated with the IdP session are cleared, so the IdP orchestrates the
process and is intended to be the ultimate landing point. See 4.4:
https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
The RelayState in a response can tell the SP additional information to send
back to the IdP to complete logout, but it's up to the IdP to determine the
value of the RelayState and to use it when returned. The SP is not
permitted to modify it. It looks like this coming out of a 3.x IdP(I don't
have a 4.x one on hand to look at):
*RelayState*: corr:1625500968_47db
After the logout process itself is complete, the profile says nothing about
what to do or display to the user. You could modify logout.vm at the IdP
to (have the option to, or forcibly) finish with a JavaScript redirect to a
login page after the proceed event is called. That would be the easy way.
Take care,
Nate.
On Mon, Jul 5, 2021 at 3:42 PM egobrc at gmail.com <egobrc at gmail.com> wrote:
> Hi everybody, I am trying to understand how the SingleLogoutService
> works with Http-redirect option
> (
> https://wiki.shibboleth.net/confluence/display/SP3/SAML+2.0+SingleLogoutService
> ) .
>
> That wiki page states that: If the message is a response, then the SP
> completes the logout operation by redirecting to the browser to a
> location preserved by relay state, if any, or the globalLogout
> template is displayed.
>
> My question is: is it possible to configure the final redirect
> location? E.g. pointing the user to a login page? I did not understand
> the statement "redirecting to the browser to a location preserved by
> relay state, if any".
>
> Thanks
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210705/0f00d6f5/attachment.htm>
More information about the users
mailing list