Shibboleth Developers

["Scott Cantor" <>]

> Not a chance. It is, after all, the very essence of shib that no one
> knows it's there.

Shibboleth is not one thing, though, it's just SAML software that lots of
people use for many different things. What I was describing is what I've
been told by people in Liberty when I've asked about single logout and how
it's been implemented and used by *some* people.

I also think SP-initiated logout is not quite the same thing as
IdP-initiated logout, and I think it gets used for different user experience
models than the one you're focused on.

But as I've made no secret, I believe SLO is impractical anyway. So I have
no particular "magic bullet" for how to implement this. I've never done it,
and aside from the session mechanics, I have no idea how to do it from a UI
point of view. Some of the ways I can think of to make it usable are
impossible, because they get blocked by the default settings on most
browsers.

Unless I get help (which I'm expecting from Chad at least), there's a pretty
good chance I won't do it right the first time. But I also have to live
within what the standard requires. If you think the standard's wrong, this
isn't a venue we can deal with it. I think it's wrong for even including
SLO, so clearly I don't agree with it either.

> Students at UW, to give an example, wouldn't know
> InCommon or any other federation from the man in the moon.  They log
> in to UW and they expect to log out from UW. Even when they click on
> a logout button on some remote application they expect it to be a UW site
> that finally says, "You're logged out."

I can think of ways to make that happen, but it depends on what browsers
allow in a frame, and whether there are bugs in what they allow. But as a
rule, I don't think that's what SP-initiated logout is *in general* designed
for.

But I can imagine extending the metadata to include landing points for SP
logout back at a user's IdP if that's what we need to do to permit it.

-- Scott