Child pages
  • Shibboleth Logout Strategy

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3


This document describes the Library's Shibboleth Logout strategy.


Most web applications have a concept of "logout", i.e., if a user logs into an application, the user is given the opportunity to log out. The applications which the Library supports all offer a "logout" (or something semantically similar) link for a user who is currently logged in. It is out intention to keep the logout functionality, even after moving to Shibboleth.

Shibboleth Logout

Shibboleth does not support global logout, so this is the only sentence that is going to mention it.

There are two locations where logout happens with Shibboleth (three if counting the application, but for the case of Shibboleth itself, only two):

  1. Service Provider
  2. Identity Provider

Service provider

For the Service Provider (SP) logout, if using shibd, the following should be done:

  1. Redirect the browser to /Shibboleth.sso/Logout
  2. Alter the following pages to look like the HTML below:
    • globalLogout.html
    • localLogout.html
    • partialLogout.html
Code Block

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
	PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

<html xmlns="" xml:lang="en" lang="en">
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
	<link rel="stylesheet" type="text/css" href="<shibmlp styleSheet/>" />
	<title>Partial Logout</title>
	<meta http-equiv="refresh" content="0;url=" />

<h1>Partial Logout</h1>

<p>If you are not redirected to the MyAccess logout page, please <a href="">logout by clicking this link</a></p>




This document is no longer necessary as logout should be configured in the IdP metadata and in shibboleth2.xml. See the Logout section of Setting up a Shibboleth SP for more details.