...
When an HTTP GET request is made to the /profile/Logout endpoint with a valid IdP session cookie, the corresponding IdP session is ended and the logout.vm view is rendered that informs the user of the following:
The IdP session is ended.
Lists all services accessed during the IdP session, if tracked, and offers to end those sessions by propagating a logout message to each one.
If the user chooses SLO, the logout-propagate.vm view is rendered and the browser mediates (i.e. front-channel) a series of logout messages coordinated via iframes, javascript, and in some cases HTML5 storage. The result is a best-effort attempt to explicitly end each relying party session by sending a protocol-specific message to each service endpoint. In the IdP configuration, the SLO messaging process is called propagation. The IdP attempts to display prominent status information on the result of each attempt to end a relying party session; a red X for failure or a green checkbox for success.
...
The UI is also, to our understanding, not accessible and is apparently impossible to make accessible. Whether true or not, it definitely is not by default and no fixes for this have been provided. It is believed that hiding the propagation status reporting is accessible, and a the idp.logout.propagationHidden 4.2 property exists in V4.2+ to hide this reporting from the user both for accessibility and because of the large number of false positives and negatives that are typically encountered.Finally, the
Preserving Request Parameters
The design of the logout feature does not support returning control of the user agent to any other system via a "return" parameter or similar mechanism. While this remains officially unsupported, the idp.logout.preserveQuery 4.1 property can be set to true to cause any parameters on the original request to be preserved and made accessible via a ScratchContext object underneath the ProfileRequestContext.
Note |
---|
There are some issues to be cautious of with this approach:
|
Browser Support
The SLO feature requires a fair bit of mature Javascript support, but any browser that supports HTML5 LocalStorage should work (this use of LocalStorage is independent of the choice of storage service, and it applies even when server-side storage is used). While the SLO implementation is based on modern Web standards, browser features vary so greatly that it's hard to identify minimum browser requirements.
Troubleshooting
Since Logout propagation feature - as far as the front-channel support is concerned - uses Javascript, all communication with the SPs can be traced in the Web browser. To this end, both the SAML tracer (Firefox Plugin) and the Javascript console in most browsers' developer tools can be helpful in troubleshooting. Common errors can be:
The SP’s web Server hat set the X-Frame-Options to “sameorigin”, which will make the SLO response from SP to IdP fail.
SAML Logout
SAML Logout is a more complex protocol than the simple variant described above, but the implementation is shared across the two approaches. There are really two "halves" to this:
Responding to requests from an SP
Propagating logout to an SP
This section is about the first case. The propagation step is covered in the previous section and is the same, regardless of how the logout is initiated.
SPs can request a logout using either front- or back-channel SAML bindings (typically HTTP-Redirect on the front, SOAP on the back). The IdP supports reception of either type of request, but use of SOAP obviously requires server-side session state. Propagation to SPs via SOAP when possible is supported more or less automatically, and happens either as part of back-channel processing or as a result of the usual front-channel iframe-based propagation.
Basic Configuration
The idp.session.secondaryServiceIndex property must be enabled to support SAML logout requests (it is explicitly enabled by default for new installs, but defaults to false).
Another consideration with SAML logout has to do with the length of time the system will "remember" the SP's session, in order to prevent the session cache from growing endlessly. This can't be done precisely because the IdP doesn't actually know how long the SP's own session might last. The idp.session.defaultSPlifetime and idp.session.slop properties control how long the IdP will "remember" an SP's session. Once elapsed, it's likely that a request for logout will fail from any SP that has expired from the cache.
...
Advanced Options
Even SPs that support requesting logout may not support receiving them, and many SPs may not care about responses to their requests. In such cases, it is advantageous to simple remove the <md:SingleLogoutService>
endpoints from their metadata. Unfortunately this fails due to the IdP's requirement to try and issue a response in most cases, and results in an error.
A new option has been added in V4.2+, a property named idp.logout.assumeAsync, to allow requests to be treated as though they carried the <aslo:Asynchronous>
extension element, which tells the IdP that no response is needed. This allows the removal of endpoints from SP metadata to be an effective means of mitigating such problems with SPs by allowing inbound logout to the IdP while preventing outbound logout.
A bean is also exposed in V4.2+ to allow message level encryption of <NameID>
values to be suppressed based on Format
. This is primarily suported to improve efficiency, given that many SPs rely on the urn:oasis:names:tc:SAML:2.0:nameid-format:transient
format, which isn't all that important to encrypt. A typical bean definition in conf/global.xml:
Code Block |
---|
<util:set id="shibboleth.PlaintextNameIDFormats">
<util:constant static-field="org.opensaml.saml.saml2.core.NameIDType.ENTITY" />
<util:constant static-field="org.opensaml.saml.saml2.core.NameIDType.TRANSIENT" />
</util:set |
Administrative Logout 4.3
V4.3 adds a long-requested capability to log out sessions administratively. Right now this capability is confined to the IdP session (and that’s all that will ever be practical) and is implemented by means of revoking the authentication state of a subject. See AdministrativeLogoutConfiguration.
Reference
Expand | ||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||
|
Expand | ||
---|---|---|
| ||
The following may be defined in conf/global.xml if needed. |
...