This is just a placeholder for the issue discussed last tuesday at office hours-looks like the Shib logout button on the OOD 4.07 interface isn’t successfully communicating with the Shibboleth endpoint & canceling the user’s sessions.
Thanks!
Can you share your shibboleth2.xml and the logout URL you’re trying to use.
From what I recall during office hours you don’t want Local logout, instead logging out of the IDP and apache both.
A quick glance at some other documentation (like NCSU below) seems to indicate you want a logout URL to be something like so:
https://<ood host>/Shibboleth.sso/Logout?return=https://<shib host>/idp/profile/Logout
Logout URL is:
logout_redirect: Brown University - Logout
My shib xml is attached….
shibboleth2.xml.txt (7.8 KB)
You’ll have to refresh my memory - that XML comes from your Identity provider right like Brown’s IT department (i.e., another department).
A quick google search indicates that this configuration of ‘Local’ means that it will only clear the apache’s session.
<Logout relayState="cookie">SAML2 Local</Logout>
Forgive me for not remembering, but can you articulate the current behavior you have and what behavior you would like to have?
Hi Jeff,
Yeah, that shib config comes from our ID Mgmt. team.
THe current behavior we have is, the OOD portal “Logout” button redirects to a generic shib logout page.
As far as I can tell, though, this doesn’t invalidate the current logged-in OOD session…hitting the back button will return you to the portal, the dashboard, the menus…shouldn’t “Logout” force another shib login when you’re served that page?
Thanks!
-Jeff
From your 2nd message above, I don’t see what the logout_uri is.
Thought, the logout_redirect I think is incorrect as it’s your IdP. Seems like from what I’m reading it should be more like /Shibboleth.sso/Logout. A relative URL on your apache instance, not remote to your IdP.
That’s the default - I can’t quite read this XML, so maybe it should be /shibboleth/Logout? But again, I’m not super familiar with this config that’s just what I’m trying to make out from the entityID config.