File(s): conf/idp.properties, views/logout.vm, views/logout-complete.vm, views/logout-propagate.vm
Single Logout (SLO) support is new in 3.2.0. SLO is a best-effort attempt to end relying party sessions without clearing the browser's cookie and storage state. Most browsers do not clear this state when closed.
When an HTTP GET request is made to the /profile/Logout endpoint with a valid IdP session cookie, the corresponding IdP session is ended and the logout.vm view is rendered that informs the user of the following:
- The IdP session is ended.
- Lists all services accessed during the IdP session, if tracked, and offers to end those sessions by propagating a logout message to each one.
If the user chooses to end without SLO, logout-complete.vm is rendered and a message is displayed indicating that some relying party sessions may still be active.
At present, the IdP session is terminated regardless of the user's choice. In other words, the question asked is "propagate or not?" rather than "logout or not?". The implications of this have been the subject of mailing list discussion and additional flexibility may be developed for future releases. You may also choose to copy and adapt the system-supplied logout flow locally to behave differently if you want to do that work.
The following property in idp.properties must be enabled to support the SLO propagation feature.
# Track information about SPs logged into
idp.session.trackSPSessions = true
The default storage solution used for session is based on cookies and does not support the SP tracking feature. You can either enable the use of HTML LocalStorage, which does support that feature, or switch to a server-side storage service option. See the StorageConfiguration topic for information on either of these approaches.
If you want the displayed information about services to be customized by the use of SAML metadata (for things like service names and logos), you should also set the following property:
# Whether to lookup metadata, etc. for every SP involved in a logout
# for use by user interface logic; adds overhead so off by default.
idp.logout.elaboration = true
In order for CAS protocol services to participate in SLO, the singleLogoutParticipant attribute must be set to true in the service definitions that identify the service:
In order for SAML services to participate in SLO, the SAML metadata supplied for them must contain appropriate
<SingleLogoutService> endpoints. In addition, SPs vary in how they handle security, and SLO is in general vastly less interoeprable than SSO in SAML, so you should not expect uniform results. Shibboleth itself assumes that all logout messages are signed, and if you need to interoperate with SPs that don't sign their logout responses, you will need to set the following property:
# Whether to require logout requests/responses be signed/authenticated.
idp.logout.authenticated = false
The look and feel of the logout process can be changed through modification of the view templates, message properties, etc.
Some deployers may choose to make SLO mandatory, which would require modifying the
<head> content of logout.vm as follows:
#if ( $logoutContext and !$logoutContext.getSessionMap().isEmpty() )
<meta http-equiv="refresh" content="0;url=$flowExecutionUrl&_eventId=propagate">
SAML Logout is a more complex protocol than the simple variant described above, but the implementation is shared across the two approaches. There are really two "halves" to this:
- Responding to requests from an SP
- Propagating logout to an SP
This section is about the first case. The propagation step is covered in the previous section and is the same, regardless of how the logout is initiated.
SPs can request a logout using either front- or back-channel SAML bindings (typically HTTP-Redirect on the front, SOAP on the back). The IdP supports reception of either type of request, but currently cannot propagate logout using SOAP (but if you rely on a server-side session storage option, it can terminate the session at the IdP).
The following property in idp.properties must be enabled to support SAML logout requests:
# Support lookup by SP for SAML logout
idp.session.secondaryServiceIndex = true
The default storage solution used for session is based on cookies and does not support the secondary indexing feature. You can either enable the use of HTML LocalStorage, which does support that feature, or switch to a server-side storage service option. See the StorageConfiguration topic for information on either of these approaches. Of course, using the client-side storage option does not allow for back-channel logout.
Another consideration with SAML logout has to do with the length of time the system will "remember" the SP's session, in order to prevent the session cache from growing endlessly. This can't be done precisely because the IdP doesn't actually know how long the SP's own session might last. The idp.session.defaultSPlifetime and idp.session.slop properties control how long the IdP will "remember" an SP's session. Once elapsed, it's likely that a request for logout will fail from any SP that has expired from the cache.