Shibboleth, How to configure Shibboleth logout behavior
For IT Pros: How to configure your Shibboleth SP and IDP logout behavior in order to provide both security and user convenience.
One of Shibbolethâs major benefits for campus users is in reducing the number of times that campus users have to enter their NetID and password. Signing in to Shibboleth means that users can be recognized by all of the services that accept its single sign-on credentials.
However, an equivalent single sign-off has the potential to create unintended consequences: If a user logs out of one system and that one logout disconnected all the Shibboleth sessions, they could lose unsaved work in other browser tabs.
In order to prevent that from happening, the campus standard behavior is to provide âsingle sign-in and multiple sign-outâ -- specifically the version called âIDP logoutâ where you disconnect your own SP and IDP but not other SPs.
There are three major components to logging out of a Shibboleth session, and hereâs what youâll want to do with them:
- Your applicationâs own SP session: End this.
- Any other SP sessions also open in that browser: Donât end these.
- The IDP session that provides information to all of the SPs: End this too.
The specific steps to take:
- Terminate your application session.
- Direct the userâs browser to
/Shibboleth.sso/Logout on your server.
If using defaults, this will first end the userâs SP session, then direct them to the IDPâs logout URL.
- The IDP will terminate their IDP session and display the Shibboleth logout page.
Their sessions with other SPs in the current browser session will remain active until the user logs out of those services, as well.
Single sign-out offers several potential problems.
- Users can lose unsaved / unfinished work if logging out of one tab or window means that every Shibboleth session in that browser is completely ended at the same time.
- Itâs also hard to do, because one SP has to command all the rest of the SPs to exit themselves as well as the IDP.
- In some cases it may not be possible to do. Some SPs wonât listen to kill orders from other SPs, including some of the cloud services.
However, session-specific SP sign-out without IDP sign-out also has problems.
- A user can tell the system to log out of the SP, but the browser still has the IDP credentials for that SP.
- If they open a new tab and go back to your service, theyâre logged straight back in without a name and password prompt to something theyâd tried to log out of.
- Anyone else who uses that browser can also log straight in without a user name and password prompt, which is a bad security idea.
Why the own-SP and IDP compromise is the best option available:
- You can end access to your own service without ending other sessionsâ access to their services.
- Users donât lose unstored information in other tabs or windows.
- If a user changes their mind and goes back to the service they just left, theyâll get prompted to log in again, thus enforcing good security protocols.