Shibboleth Proxy to Azure: Completing logout.

Cantor, Scott cantor.2 at
Wed Jan 19 21:01:06 UTC 2022

On 1/19/22, 3:30 PM, "Michael Grady" <mgrady at> wrote:

>    And if you are not trying to propagate logout anyways, another option might be you simply do not have the
> Shib IdP keep a session in the first place, and list an Azure AD logout endpoint that does not require a SAML
> logout message (just like the Shib IdP's profile/Logout endpoint) as the logout endpoint when you configure
> the SP with the Shib IdP. (Assuming Azure AD has such a logout endpoint.) 

I think the best option would be to always use an indirected script when using the IdP's logout endpoint, and you can always change that to do an immediate redirect to Azure, making it transparent to the SP, if you drop the IdP's session out.

Whenever you're dealing with something not in the metadata, you have something "unmanaged", and that should never be directly pointing to a piece of software you don't control (as in, the IdP could change that URL for some reason, but a script you own lives where you decide it does).

I use /cgi-bin/logout.cgi on my IdP servers for that, and I never allow direct references to /idp/profile/Logout.

-- Scott

More information about the users mailing list