Shibboleth Proxy to Azure: Completing logout.
jfwillia at uncg.edu
Wed Jan 19 21:45:43 UTC 2022
On Wed, Jan 19, 2022 at 4:01 PM Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 1/19/22, 3:30 PM, "Michael Grady" <mgrady at unicon.net> wrote:
> > And if you are not trying to propagate logout anyways, another option
> might be you simply do not have the
> > Shib IdP keep a session in the first place, and list an Azure AD logout
> endpoint that does not require a SAML
> > logout message (just like the Shib IdP's profile/Logout endpoint) as the
> logout endpoint when you configure
> > the SP with the Shib IdP. (Assuming Azure AD has such a logout endpoint.)
I had not considered dropping Shib IDP session creation as a whole. That
seems like a pretty elegant solution to the problem. Is configuring for
that as straightforward as setting ip.session.enabled=false in
idp.properties, or is there anything else that'd need to be done?
I remembered looking at a meta refresh redirect to Azure, but found that
the url that Azure SSO uses is indeed SAML-based(
Does that make this sort of logout a feature request or is there some way
to craft and send the samlp:LogoutRequest in the template?
> Whenever you're dealing with something not in the metadata, you have
> something "unmanaged", and that should never be directly pointing to a
> piece of software you don't control (as in, the IdP could change that URL
> for some reason, but a script you own lives where you decide it does).
> I use /cgi-bin/logout.cgi on my IdP servers for that, and I never allow
> direct references to /idp/profile/Logout.
> -- Scott
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
Identity & Access Engineer
Identity & Access Services
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users