grouper-users - Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn
Subject: Grouper Users - Open Discussion List
List archive
- From: Rob Gorrell <>
- To: Jeffrey T Eaton <>
- Cc: , Eric Cheu <>
- Subject: Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn
- Date: Wed, 26 Nov 2014 13:10:25 -0500
Jeff, I understand the SLO problem... my original question was referring to the best way to make Grouper UI destroy it's session state and then immediately redirect to the Idp logout page for the Idp to do the same (opposed to killing just it's SP session and nothing more). I understand this leaves any other remaining SP logged in, but seems the most reasonable approach we have to safeguarding logout if the user doesn't close the browser.
Rob
On Nov 26, 2014 12:45 PM, "Jeffrey T Eaton" <> wrote:
It's not as easy as deleting the IDP's cookies. Consider the case where a user starts a browser, and accesses 3 different SPs.
The user, while interacting with one of the SPs, wants to log out. That SP can destroy its own session state, and redirect to the IDP to delete the session state there, however, there's no currently feasible way to force a logout of the other SPs which may be maintaining their own session.
So, now the user walks away from the shared computer, and someone else walks up and happens to navigate to one of the SPs where the previous user was logged in, and is already logged in as the other user.
The only real way to manage single sign on in a shared computer environment is to have something which forcibly resets the browser state, losing all session data for all sites. Used to be that quitting your browser would be sufficient to delete all of the cookies, but even that's becoming less reliable with browsers trying to "helpfully" restore your previous session cookies for you.
-jeaton
On Nov 25, 2014, at 11:35 AM, Eric Cheu <> wrote:
IMO, there should be a way to delete shibboleth browser cookies without actually having to close the browser. I was able to do it manually in firefox by going through the menu system and actually looking for the shibboleth cookies and manually deleting them. That got the desired effect of doing a global IDP logout without having to close the browser. It is a harder sell to use shibboleth for certain applications if logging out of shibboleth is unintuitive for students using shared computers on a network.
On Wed, Nov 19, 2014 at 11:46 AM, Rob Gorrell <> wrote:
I'm not much of an SP guy, so I could use some help here. We currently have the grouperUI set up behind a shibb SP to process authentication into grouper. Works great. However. Looks like the standard logout is to redirect to logout.do which only kills the app session. Is there a way we can tell grouper to additionally redirect to our IDP's logout page so we can perform a logout there as well?
-Rob
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
- [grouper-users] GrouperUI performing an IDP logout when using shibb authn, Rob Gorrell, 11/19/2014
- Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn, Eric Cheu, 11/25/2014
- Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn, David Langenberg, 11/25/2014
- Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn, Jeffrey T Eaton, 11/26/2014
- Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn, Rob Gorrell, 11/26/2014
- Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn, Eric Cheu, 11/26/2014
- <Possible follow-up(s)>
- Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn, Chris Hyzer, 11/26/2014
- Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn, Eric Cheu, 11/25/2014
Archive powered by MHonArc 2.6.16.