Versions Compared

Old Version 16

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 17

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Hide if
special@anonymous
groupconfluence-users

Advanced Options

Even SPs that support requesting logout may not support receiving them, and many SPs may not care about responses to their requests. In such cases, it is advantageous to simple remove the <md:SingleLogoutService> endpoints from their metadata. Unfortunately this fails due to the IdP's requirement to try and issue a response in most cases, and results in an error.

A new option has been added in V4.2+, a property named idp.logout.assumeAsync, to allow requests to be treated as though they carried the <aslo:Asynchronous> extension element, which tells the IdP that no response is needed. This allows the removal of endpoints from SP metadata to be an effective means of mitigating such problems with SPs by allowing inbound logout to the IdP while preventing outbound logout.

A bean is also exposed in V4.2+ to allow message level encryption of <NameID> values to be suppressed based on Format. This is primarily suported to improve efficiency, given that many SPs rely on the urn:oasis:names:tc:SAML:2.0:nameid-format:transient format, which isn't all that important to encrypt. A typical bean definition in conf/global.xml:

Reference

true
Localtabgroup
Localtab live
active
Expand
titleProperties

Name

Type

Default

Description

idp.session.trackSPSessions

Boolean

false

Whether to store references to SP sessions in the IdP session to support logout propagation

idp.session.secondaryServiceIndex

Boolean

false

Whether to store NameID backreferences in the IdP session to support SAML 2.0 logout

idp.logout.elaboration

Boolean

false

Whether to search metadata for user interface information associated with every service involved in logout propagation

idp.logout.authenticated

Boolean

true

Whether to require signed logout messages in accordance with the SAML 2.0 standard

idp.logout.promptUser

Bean ID of Predicate<ProfileRequestContext>

false

If the bean returns true, the user is given the option to actually cancel the IdP logout outright and prevent removal of the session

idp.artifact.enabled

Boolean

true

Controls use of HTTP-Artifact binding for outbound logout messages

idp.logout.preserveQuery 4.1

Boolean

false

Processes arbitrary query parameters to the Simple Logout endpoint and stashes them in a ScratchContext for use by subsequent view logic

idp.logout.assumeAsync 4.2

Boolean

false

When true, allows inbound SAML LogoutRequests to be processed even if the SP lacks metadata containing response endpoints

idp.logout.propagationHidden 4.2

Boolean

false

Applies the "display:none" style to the list of SPs and logout status reporting images so that logout status is not visibly reported to the user

localtab-live
Expand
titleBeans

The following may be defined in conf/global.xml if needed.

Name

Type

Default

Description

shibboleth.PlaintextNameIDFormats 4.2

                                                                              

Set<String>

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

Set of <NameID> Formats which need not be encrypted in messages, notwithstanding other settings