This document describes the Library's Shibboleth Logout strategy.
Most web applications have a concept of "logout", i.e., if a user logs into an application, the user is given the opportunity to log out. The applications which the Library supports all offer a "logout" (or something semantically similar) link for a user who is currently logged in. It is out intention to keep the logout functionality, even after moving to Shibboleth.
Shibboleth does not support global logout, so this is the only sentence that is going to mention it.
There are two locations where logout happens with Shibboleth (three if counting the application, but for the case of Shibboleth itself, only two):
- Service Provider
- Identity Provider
For the Service Provider (SP) logout, if using
shibd, the following should be done:
- Redirect the browser to
- Alter the following pages to look like the HTML below:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <link rel="stylesheet" type="text/css" href="<shibmlp styleSheet/>" /> <title>Partial Logout</title> <meta http-equiv="refresh" content="0;url=https://d5n1.ucsf.edu/idp/logout.jsp" /> </head> <body> <h1>Partial Logout</h1> <p>If you are not redirected to the MyAccess logout page, please <a href="https://d5n1.ucsf.edu/idp/logout.jsp">logout by clicking this link</a></p> </body> </html>
This document is no longer necessary as logout should be configured in the IdP metadata and in
shibboleth2.xml. See the Logout section of Setting up a Shibboleth SP for more details.