Changes between Version 25 and Version 26 of SPLogout


Ignore:
Timestamp:
05/19/14 14:31:43 (11 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • SPLogout

    v25 v26  
    1 ''This is a prototype SP logout landing page.  The Service destroys its session but cannot destroy the SSO cookie.  So it is trivial to use the SSO cookie to log back into that service or another in the same security domain.  To prevent such behavior (a high risk / high security application or a need to log into the same service as a different user) the SP can re-direct the browser to a page like this that offers the opportunity to end the SSO session.  The SP could also directly use the link behind the "End My Current SSO Session", removing the option from the user.'' 
     1''This is a prototype SP logout landing page.  Each Service is responsible for logging out users from that service and should delete the user's session cookie.  But it is trivial to use the SSO cookie to log back into that service or another in the same security domain.  To prevent such behavior (a high risk / high security application or a need to log into the same service as a different user) the SP can re-direct the browser to a page like this that offers the opportunity to end the SSO session.  The SP could also directly use the link behind the "End My Current SSO Session", removing the option from the user.''  Despite these measures, it is still important for users to quit the browser (see the discussion below). 
    22 
    33=== You have been logged out of {the Application or Service that re-directed you here}. ===  
     
    2020---- 
    2121 
    22 On Thu, 15 May 2014, at 15:56 , John P. Mitchell <jpmitchell@alaska.edu> wrote: 
     22==== Help for service owners crafting logout from their application ==== 
    2323 
    24 David, 
     24 You can craft a URL like the following in your application.  
    2525 
    26    You can craft a URL like so. This link is functional by the way. 
     26https://yourapp.yourdomain.net/Shibboleth.sso/Logout?return=http://iam.alaska.edu/trac/wiki/SPLogout 
    2727 
    28 https://shibboleth.usc.edu/docs/sp/install/Shibboleth.sso/Logout?return=http://www.myplace.org 
     28Obviously you must take care of cleanup within your application - closing files, saving changes and the like.  Then redirect the users browser as in the link above.  If your Shibboleth SP is close to the default, replace "yourapp.yourdomain.edu" with the URL of your application; you can build your own logout page to inform users they have logged out of the application but still have an SSO session, providing them a link similar to the "End My Current UA SSO Session" link above.  Alternatively, you could have the return redirect them straight to the SSOS logout service point, like this: 
    2929 
    30 That will log you out of the SP. The return could point to the IDP logout.jsp in the return param if you want SP -> IDP logout flow. Some want to start at the IDP and then hit the SP, so you just reverse the return params. To figure out the URL you need to know where the web server administrator has placed the Shibboleth.sso in the URL. You can usually find that in the xml config for the SP. 
     30https://yourapp.yourdomain.net/Shibboleth.sso/Logout?return=https://iam.alaska.edu/trac/wiki/SSOsessionDestroyed  
    3131 
    32 --  
    33 John P. Mitchell <jpmitchell@alaska.edu> 
    34 UAF - ASF Operations Supervisor 
    35 907.474.5083 
     32''Note that the user may still have OTHER sessions active; removing the session with your application and the SSO session will not in itself log users out of current sessions with other applications.''