Child pages
  • Shibboleth Logout Strategy
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

Overview

This document describes the Library's Shibboleth Logout strategy.

Background

Most web applications have a concept of "logout", i.e., if a user logs into an application, the user is given the opportunity to log out. The applications which the Library supports all offer a "logout" (or something semantically similar) link for a user who is currently logged in. It is our intention to keep this logout functionality, even after implementing Shibboleth.

Shibboleth Logout

Shibboleth does not support global logout, so this is the only sentence that is going to mention it.

In order for a user's current concept of "logout" to work, three things have to happen:

  1. End the application session
  2. End the Service Provider session
  3. End the Identity Provider session

The first one does not need to happen if the application is 100% protected by the Shibboleth Service provider (like the wiki). However, with that said, if the session can be ended, that would be helpful to the application, as the application can then cleanup an unused resource (the session).

End the application session

If possible, the current application session should be ended in the same manner it is ended pre-shibbolization. This is easier said than done considering after the application session is ended, the browser must be redirected to the SP logout (see below). So, in most cases, some code in the application will need to be altered.

End the Service Provider session

For the Service Provider (SP) logout, if using shibd, the following should be done:

  1. Redirect the browser to /Shibboleth.sso/Logout
  2. Alter the following pages to look like the HTML below:
    • /etc/shibboleth/globalLogout.html
    • /etc/shibboleth/localLogout.html
    • /etc/shibboleth/partialLogout.html
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
	PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <title>Partial Logout</title>
    <meta http-equiv="refresh" content="0;url=https://dp.ucsf.edu/idp/shib_logout.jsp?url=<full app return URL>" />
</head>
<body>

<h1>Partial Logout</h1>

<p>If you are not redirected to the MyAccess logout page, please <a href="https://dp.ucsf.edu/idp/shib_logout.jsp<full app return URL>">logout by clicking this link</a>.</p>

</body>
</html>

Note

Change the above as necessary:

  • Change dp to d5n1 if the SP is pointing at MyAccess stage.
  • Change <full app return URL> to be the actual URL that you would like displayed on the MyAccess logout page (if you want the MyAccess logout page to display a link for the user to return to your app).

The meta refresh will force the browser to redirect (yet again) to the IdP logout. Using a meta refresh is necessary because the documented method of redirecting after an SP logout does not seem to work 100% of the time. The documented method is the following URI:

/Shibboleth.sso/Logout?return=<some URL>

We have witnessed on countless occasions that providing ?return=<some URL> does not make the browser redirect. The odd thing is that if you see this URI in the browser, and then take your cursor and place it in the location bar then hit "Return" on the keyboard, the browser redirects. Very odd.

So, this is why editing the SP HTML pages mentioned above is the only "guaranteed" way to make sure the browser redirects. (Perhaps adding JavaScript window.location code to the pages might even be wise, as well.)

End the Identity Provider session

Redirect users to the IdP logout page because this is the only thing which will fully make the user's current concept of "logout" work. To end the IdP session, redirect the user's browser to:

https://dp.ucsf.edu/idp/shib_logout.jsp?url=<full app return URL>

For instance, try the following link and see what it displays:

https://dp.ucsf.edu/idp/shib_logout.jsp?url=https://wiki.ucsf.edu

Note: Change dp to d5n1 if the SP is pointing at MyAccess stage.

The Identity Provider (IdP) is under the control of MyAccess, so we can not change the text on its associated pages. However, there is currently text on the logout page which instructs the user to close the browser to ensure a proper logout.

  • No labels