This document describes the Library's Shibboleth Logout strategy.


Most web applications have a concept of "logout", i.e., if a user logs into an application, the user is given the opportunity to log out. The applications which the Library supports all offer a "logout" (or something semantically similar) link for a user who is currently logged in. It is out intention to keep the logout functionality, even after moving to Shibboleth.

Shibboleth Logout

Shibboleth does not support global logout, so this is the only sentence that is going to mention it.

There are two locations where logout happens with Shibboleth (three if counting the application, but for the case of Shibboleth itself, only two):

  1. Service Provider
  2. Identity Provider

Service provider

For the Service Provider (SP) logout, if using shibd, the following should be done:

  1. Redirect the browser to /Shibboleth.sso/Logout
  2. Alter the following pages to look like the HTML below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
	PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
	<link rel="stylesheet" type="text/css" href="<shibmlp styleSheet/>" />
	<title>Partial Logout</title>
	<meta http-equiv="refresh" content="0;url=https://d5n1.ucsf.edu/idp/logout.jsp" />

<h1>Partial Logout</h1>

<p>If you are not redirected to the MyAccess logout page, please <a href="https://d5n1.ucsf.edu/idp/logout.jsp">logout by clicking this link</a></p>


Note: Change d5n1 to dp if this is a production installation.