Shibboleth Proxy to Azure: Completing logout.

Jeffrey Williams jfwillia at
Wed Jan 19 21:45:43 UTC 2022

On Wed, Jan 19, 2022 at 4:01 PM Cantor, Scott <cantor.2 at> wrote:

> On 1/19/22, 3:30 PM, "Michael Grady" <mgrady at> wrote:
> >    And if you are not trying to propagate logout anyways, another option
> might be you simply do not have the
> > Shib IdP keep a session in the first place, and list an Azure AD logout
> endpoint that does not require a SAML
> > logout message (just like the Shib IdP's profile/Logout endpoint) as the
> logout endpoint when you configure
> > the SP with the Shib IdP. (Assuming Azure AD has such a logout endpoint.)

I had not considered dropping Shib IDP session creation as a whole. That
seems like a pretty elegant solution to the problem.  Is configuring for
that as straightforward as setting ip.session.enabled=false in, or is there anything else that'd need to be done?

I remembered looking at a meta refresh redirect to Azure, but found that
the url that Azure SSO uses is indeed SAML-based(
Does that make this sort of logout a feature request or is there some way
to craft and send the samlp:LogoutRequest in the template?

> Whenever you're dealing with something not in the metadata, you have
> something "unmanaged", and that should never be directly pointing to a
> piece of software you don't control (as in, the IdP could change that URL
> for some reason, but a script you own lives where you decide it does).
> I use /cgi-bin/logout.cgi on my IdP servers for that, and I never allow
> direct references to /idp/profile/Logout.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at

Jeffrey Williams
Identity & Access Engineer
Identity & Access Services
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list