Child pages
  • Shibboleth Logout Strategy
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »


This document describes the Library's Shibboleth Logout strategy.


Most web applications have a concept of "logout", i.e., if a user logs into an application, the user is given the opportunity to log out. The applications which the Library supports all offer a "logout" (or something semantically similar) link for a user who is currently logged in. It is out intention to keep the logout functionality, even after moving to Shibboleth.

Shibboleth Logout

Shibboleth does not support global logout, so this is the only sentence that is going to mention it.

In order for a user's current concept of "logout" to work, three things have to happen:

  1. End the application session
  2. End the Service Provider session
  3. End the Identity Provider session

The first one does not need to happen if the application is 100% protected by the Shibboleth Service provider (like the wiki). However, if it can happen, that would be helpful to the application, as it can then cleanup an unused resource (the session).

End the application session

If possible, the current application session should be ended in the same manner it is ended pre-shibbolization.

End the Service Provider session

For the Service Provider (SP) logout, if using shibd, the following should be done:

  1. Redirect the browser to /Shibboleth.sso/Logout
  2. Alter the following pages to look like the HTML below:
    • /etc/shibboleth/globalLogout.html
    • /etc/shibboleth/localLogout.html
    • /etc/shibboleth/partialLogout.html
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
	PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

<html xmlns="" xml:lang="en" lang="en">
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
	<link rel="stylesheet" type="text/css" href="<shibmlp styleSheet/>" />
	<title>Partial Logout</title>
	<meta http-equiv="refresh" content="0;url=" />

<h1>Partial Logout</h1>

<p>If you are not redirected to the MyAccess logout page, please <a href="">logout by clicking this link</a></p>


Note: Change dp to d5n1 if the SP is pointing at MyAccess stage.

This meta refresh is necessary because the documented method of redirecting after an SP logout does not seem to work 100% of the time. The documented method is the following URI:

/Shibboleth.sso/Logout?return=<some URL>

We have witnessed on countless occasions that providing ?return=<some URL> does not make the browser redirect. The odd thing is that if you see this page and then take your cursor and place it in the location bar then hit "Return" on the keyboard, the browser redirects. So, this is why editing the SP HTML pages mentioned above, is the only "guaranteed" way to make sure the browser redirects. (Perhaps adding JavaScript window.location code to the pages might even be wise, as well.)

End the Identity Provider session

The Identity Provider (IdP) is under the control of MyAccess, so the only thing we can do it is try to influence the text on that page if we feel it is not correct. However, we must redirect users to the IdP logout page because this is the only thing which will fully make the user's current concept of "logout" work. To end the IdP session, redirect the user's browser to:

Note: Change dp to d5n1 if the SP is pointing at MyAccess stage.

  • No labels