How to logout from shibboleth

single-sign-on saml-2.0 shibboleth
playmaker420 picture playmaker420 · May 25, 2015 · Viewed 7k times · Source

Im using shibboleth services inorder to acheive the following

  1. User tries to access the secured resource in https://sp.dev.myserver.com/secure/
  2. redirects to WAYF
  3. selects idp and redirects to IDP and authenticated against School's LDAP username:[email protected] password:test

  4. redirects to "https://sp.dev.myserver.com/secure/" and the atttributes are made available in the SP's Session.

    PHP Test 

        <?php 
        echo '<p>Hello User</p>'; 
    ?> 

    <?php 
        echo "Given Name:  " . $_SERVER["givenName"] . ".<br>";
        echo "Email     :  " . $_SERVER["mail"] . ".";
  ?> 
<a href="https://sp.dev.myserver.com/Shibboleth.sso/Logout">Logout ME</a>
   </body>
</html>

  5. I could show the details of the authenticated user in this php page.

  6. Now i have added a hyper link to perform Sign Out and added the log out url in it

  7. Now when i hit the logout button it redirects to url and shows the below

I closed the browser and tried accessing https://sp.dev.myserver.com/secure but the session was not destroyed and it showed the page with the details from the previous login.

How do i achieve a proper sign out.Can some body help me to fix this ?

PS:Please let me know if i want to add more info. Thanks in advance

Answer

judielaine picture judielaine · May 25, 2015

Once upon a time, whenever a user closed their browser, all the session cookies were deleted. And then browser developers decided it would be "helpful" to keep the session cookies after closing the browser. See the background information here.

I'm guessing that your browser is not set in such a way as to clean out session cookies when close your browser. Use the background information to change your settings and try testing again.

Since this busted the "close browser to log out" instruction for many SAML federations (as i believe you have experienced), groups that originally didn't believe in implementing SLO (Single Log Out) now support SLO. If the school's IDP has a SLO endpoint, you can implement log out against that. See Section 4.4 for the Single Log Out spec (PDF). Note the endpoint will be identified in the IDPs metadata as the SingleLogoutService.

Related questions

What is the purpose of SAML 2 Subject Name Identifier?

When doing authn against a SAML 2 IdP, what does the Subject Name Identifier supposed to be for? Does it track each user login? I'm wondering if my SAML 2 service provider application should track these for different users. Since they are …

Read More
Single Sign-On in Spring by using SAML Extension and Shibboleth

I'd like to implement a Single Sign-on (SSO) authentication layer in my Spring-based application with the aim of supporting authentication and authorization from different security domains. I've chosen Shibboleth as IdP, but I have yet to identify what I will …

Read More
Unable to locate metadata for identity provider

I'm trying to configure both Shibboleth service provider and identity provider on localhost for testing purposes. The problem is that I'm getting "unable to locate metadata for identity provider" error when trying to access a protected resource. I've already read …

Read More