Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Eric Cheu <>, Jeffrey T Eaton <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn
  • Date: Wed, 26 Nov 2014 13:24:17 -0500
  • Importance: normal

This is no different than any other web application.  For 2.2.2 I will make sure there is a way to remove specified cookies (that grouper is allowed to delete by domain) by name prefix. Also you will be able to specify a single logout url if your institution has one.  Ok?  Thanks, Chris

-------- Original message --------
From: Eric Cheu <>
Date: 11/26/2014 1:16 PM (GMT-05:00)
To: Jeffrey T Eaton <>
Subject: Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn

If this is really true, then the wording on the grouper page (or at least our version of grouper, 2.2) is out of date.  It says:

"Note: Your session has been ended, however, it is possible that you are still logged in. The only way to be sure that you have logged out is to close ALL browser windows."

And might even be a blow to using grouper for certain secure applications, at least for general student use.

On Wed, Nov 26, 2014 at 12:44 PM, Jeffrey T Eaton <> wrote:
It's not as easy as deleting the IDP's cookies.  Consider the case where a user starts a browser, and accesses 3 different SPs.

The user, while interacting with one of the SPs, wants to log out.  That SP can destroy its own session state, and redirect to the IDP to delete the session state there, however, there's no currently feasible way to force a logout of the other SPs which may be maintaining their own session. 

So, now the user walks away from the shared computer, and someone else walks up and happens to navigate to one of the SPs where the previous user was logged in, and is already logged in as the other user.

The only real way to manage single sign on in a shared computer environment is to have something which forcibly resets the browser state, losing all session data for all sites.  Used to be that quitting your browser would be sufficient to delete all of the cookies, but even that's becoming less reliable with browsers trying to "helpfully" restore your previous session cookies for you.


On Nov 25, 2014, at 11:35 AM, Eric Cheu <> wrote:

IMO, there should be a way to delete shibboleth browser cookies without actually having to close the browser.  I was able to do it manually in firefox by going through the menu system and actually looking for the shibboleth cookies and manually deleting them.  That got the desired effect of doing a global IDP logout without having to close the browser.  It is a harder sell to use shibboleth for certain applications if logging out of shibboleth is unintuitive for students using shared computers on a network.

On Wed, Nov 19, 2014 at 11:46 AM, Rob Gorrell <> wrote:
I'm not much of an SP guy, so I could use some help here. We currently have the grouperUI set up behind a shibb SP to process authentication into grouper. Works great. However. Looks like the standard logout is to redirect to which only kills the app session. Is there a way we can tell grouper to additionally redirect to our IDP's logout page so we can perform a logout there as well?


Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro

Archive powered by MHonArc 2.6.16.

Top of Page