Shibboleth Proxy to Azure: Completing logout.

Wessel, Keith kwessel at
Wed Jan 19 21:55:21 UTC 2022

Yes, that property will completely turn off the session layer.

We did this originally, but since we’re still using the built-in password and MFA flows for non-browser connections, we wanted to still be able to offer non-0 session length for those clients that are smart enough to store the session cookie. We ended up setting the timeout and lifetime for the SAML proxy authentication flow to 1 second (since it must be a value greater than 0). That basically disabled SSO for browsers but not for ECP clients, and we turned the session layer back on.


From: users <users-bounces at> On Behalf Of Jeffrey Williams via users
Sent: Wednesday, January 19, 2022 3:46 PM
To: Shib Users <users at>
Cc: Jeffrey Williams <jfwillia at>
Subject: Re: Shibboleth Proxy to Azure: Completing logout.

On Wed, Jan 19, 2022 at 4:01 PM Cantor, Scott <cantor.2 at<mailto:cantor.2 at>> wrote:
On 1/19/22, 3:30 PM, "Michael Grady" <mgrady at<mailto:mgrady at>> wrote:

>    And if you are not trying to propagate logout anyways, another option might be you simply do not have the
> Shib IdP keep a session in the first place, and list an Azure AD logout endpoint that does not require a SAML
> logout message (just like the Shib IdP's profile/Logout endpoint) as the logout endpoint when you configure
> the SP with the Shib IdP. (Assuming Azure AD has such a logout endpoint.)

I had not considered dropping Shib IDP session creation as a whole. That seems like a pretty elegant solution to the problem.  Is configuring for that as straightforward as setting ip.session.enabled=false in, or is there anything else that'd need to be done?

I remembered looking at a meta refresh redirect to Azure, but found that the url that Azure SSO uses is indeed SAML-based(<;!!DZ3fjg!q6ZeSkLbpdguawcb70INBmzFGe8XcQyIRZFeDgqjytEe4KoOdZJ34oOCJxInFwJ9Rw$>).  Does that make this sort of logout a feature request or is there some way to craft and send the samlp:LogoutRequest in the template?

Whenever you're dealing with something not in the metadata, you have something "unmanaged", and that should never be directly pointing to a piece of software you don't control (as in, the IdP could change that URL for some reason, but a script you own lives where you decide it does).

I use /cgi-bin/logout.cgi on my IdP servers for that, and I never allow direct references to /idp/profile/Logout.

-- Scott

For Consortium Member technical support, see<;!!DZ3fjg!q6ZeSkLbpdguawcb70INBmzFGe8XcQyIRZFeDgqjytEe4KoOdZJ34oOCJxKuwhKpAQ$>
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>

Jeffrey Williams
Identity & Access Engineer
Identity & Access Services<;!!DZ3fjg!q6ZeSkLbpdguawcb70INBmzFGe8XcQyIRZFeDgqjytEe4KoOdZJ34oOCJxJzo9Z7WA$>

[Image removed by sender.]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD0001.jpg
Type: image/jpeg
Size: 823 bytes
Desc: ~WRD0001.jpg
URL: <>

More information about the users mailing list