Shibboleth, How to configure Shibboleth logout behavior
For IT Pros: How to configure your Shibboleth SP and IDP logout behavior in order to provide both security and user convenience.
One of Shibboleth's major benefits for campus users is in reducing the number of times that campus users have to enter their NetID and password. Signing in to Shibboleth means that users can be recognized by all of the services that accept its single sign-on credentials.
However, an equivalent single sign-off has the potential to create unintended consequences: If a user logs out of one system and that one logout disconnected all the Shibboleth sessions, they could lose unsaved work in other browser tabs.
In order to prevent that from happening, the campus standard behavior is to provide 'single sign-in and multiple sign-out' -- specifically the version called 'IDP logout' where you disconnect your own SP and IDP but not other SPs.
There are three major components to logging out of a Shibboleth session, and here's what you'll want to do with them:
- Your application's own SP session: End this.
- Any other SP sessions also open in that browser: Don't end these.
- The IDP session that provides information to all of the SPs: End this too.
The specific steps to take:
- Terminate your application session.
- Direct the user's browser to /Shibboleth.sso/Logout on your server.
If using defaults, this will first end the user's SP session, then direct them to the IDP's logout URL.
- The IDP will terminate their IDP session and display the Shibboleth logout page.
Their sessions with other SPs in the current browser session will remain active until the user logs out of those services, as well.
Single sign-out offers several potential problems.
- Users can lose unsaved / unfinished work if logging out of one tab or window means that every Shibboleth session in that browser is completely ended at the same time.
- It's also hard to do, because one SP has to command all the rest of the SPs to exit themselves as well as the IDP.
- In some cases it may not be possible to do. Some SPs won't listen to kill orders from other SPs, including some of the cloud services.
However, session-specific SP sign-out without IDP sign-out also has problems.
- A user can tell the system to log out of the SP, but the browser still has the IDP credentials for that SP.
- If they open a new tab and go back to your service, they're logged straight back in without a name and password prompt to something they'd tried to log out of.
- Anyone else who uses that browser can also log straight in without a user name and password prompt, which is a bad security idea.
Why the own-SP and IDP compromise is the best option available:
- You can end access to your own service without ending other sessions' access to their services.
- Users don't lose unstored information in other tabs or windows.
- If a user changes their mind and goes back to the service they just left, they'll get prompted to log in again, thus enforcing good security protocols.