This document describes the Library's Shibboleth Logout strategy.
Most web applications have a concept of "logout", i.e., if a user logs into an application, the user is given the opportunity to log out. The applications which the Library supports all offer a "logout" (or something semantically similar) link for a user who is currently logged in. It is out intention to keep the logout functionality, even after moving to Shibboleth.
Shibboleth does not support global logout, so this is the only sentence that is going to mention it.
There are two locations where logout happens with Shibboleth (three if counting the application, but for the case of Shibboleth itself, only two):
For the Service Provider (SP) logout, if using
shibd, the following should be done:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <link rel="stylesheet" type="text/css" href="<shibmlp styleSheet/>" /> <title>Partial Logout</title> <meta http-equiv="refresh" content="0;url=https://d5n1.ucsf.edu/idp/logout.jsp" /> </head> <body> <h1>Partial Logout</h1> <p>If you are not redirected to the MyAccess logout page, please <a href="https://d5n1.ucsf.edu/idp/logout.jsp">logout by clicking this link</a></p> </body> </html>
Note: Change d5n1 to dp if this is a production installation.