Shibboleth Developers

[Jim Fox <>]

One of the difficulties of a shibboleth logout is the requirement
that applications, which may have independent, cookie-based sessions,
also need to be logged out.  Otherwise the logout is ineffective
and misleading.

A logout using browser redirection could conceivably allow
applications to participate.  The logout path is, however, so
circuitous and so tenuous and fragile that no one believes it would
ever reliably complete.   In addition, each application must support
its part of the redirection scheme, which becomes a documented and
exported API.

The out-of-band, SOAP logout method, which has none of these
limitations, can be made to support application logout as well.
All that's needed is an API, provided on each the SP, that answers
the question, "Is user 'xxxx' logged out?"  It might be a socket
interface, a library api, or a shell command.  Each participating
application needs only to ask the question on each request -
a far cry easier than supporting the browser logout redirection.

Jim