Shibboleth, How to configure Shibboleth logout behavior

For IT Pros: How to configure your Shibboleth SP and IDP logout behavior in order to provide both security and user convenience.

Single sign-in and multiple sign-out

One of Shibboleth's major benefits for campus users is in reducing the number of times that campus users have to enter their NetID and password. Signing in to Shibboleth means that users can be recognized by all of the services that accept its single sign-on credentials.

However, an equivalent single sign-off has the potential to create unintended consequences: If a user logs out of one system and that one logout disconnected all the Shibboleth sessions, they could lose unsaved work in other browser tabs.

In order to prevent that from happening, the campus standard behavior is to provide 'single sign-in and multiple sign-out' -- specifically the version called 'IDP logout' where you disconnect your own SP and IDP but not other SPs.

How to configure your logout behavior to make that happen

There are three major components to logging out of a Shibboleth session, and here's what you'll want to do with them:

The specific steps to take:

  1. Terminate your application session.
  2. Direct the user's browser to /Shibboleth.sso/Logout on your server.
    If using defaults, this will first end the user's SP session, then direct them to the IDP's logout URL.
  3. The IDP will terminate their IDP session and display the Shibboleth logout page.

Their sessions with other SPs in the current browser session will remain active until the user logs out of those services, as well.

Why to handle it this way

Single sign-out offers several potential problems.

However, session-specific SP sign-out without IDP sign-out also has problems.

Why the own-SP and IDP compromise is the best option available: