Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn

Chronological Thread 
  • From: Jeffrey T Eaton <>
  • To: Eric Cheu <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn
  • Date: Wed, 26 Nov 2014 17:44:52 +0000
  • Accept-language: en-US

It's not as easy as deleting the IDP's cookies.  Consider the case where a user starts a browser, and accesses 3 different SPs.

The user, while interacting with one of the SPs, wants to log out.  That SP can destroy its own session state, and redirect to the IDP to delete the session state there, however, there's no currently feasible way to force a logout of the other SPs which may be maintaining their own session. 

So, now the user walks away from the shared computer, and someone else walks up and happens to navigate to one of the SPs where the previous user was logged in, and is already logged in as the other user.

The only real way to manage single sign on in a shared computer environment is to have something which forcibly resets the browser state, losing all session data for all sites.  Used to be that quitting your browser would be sufficient to delete all of the cookies, but even that's becoming less reliable with browsers trying to "helpfully" restore your previous session cookies for you.


On Nov 25, 2014, at 11:35 AM, Eric Cheu <> wrote:

IMO, there should be a way to delete shibboleth browser cookies without actually having to close the browser.  I was able to do it manually in firefox by going through the menu system and actually looking for the shibboleth cookies and manually deleting them.  That got the desired effect of doing a global IDP logout without having to close the browser.  It is a harder sell to use shibboleth for certain applications if logging out of shibboleth is unintuitive for students using shared computers on a network.

On Wed, Nov 19, 2014 at 11:46 AM, Rob Gorrell <> wrote:
I'm not much of an SP guy, so I could use some help here. We currently have the grouperUI set up behind a shibb SP to process authentication into grouper. Works great. However. Looks like the standard logout is to redirect to which only kills the app session. Is there a way we can tell grouper to additionally redirect to our IDP's logout page so we can perform a logout there as well?


Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro

Archive powered by MHonArc 2.6.16.

Top of Page