Shibboleth Developers

["Scott Cantor" <>]

> The out-of-band, SOAP logout method, which has none of these
> limitations, can be made to support application logout as well.
> All that's needed is an API, provided on each the SP, that answers
> the question, "Is user 'xxxx' logged out?"  It might be a socket
> interface, a library api, or a shell command.  Each participating
> application needs only to ask the question on each request -
> a far cry easier than supporting the browser logout redirection.

You're assuming the application can be modified to perform per-request work
like this, I guess?

In Java an API is fine, but we did a lot of hand waving in DC about how
"easy" it is to do this sort of thing to solve other problems like token
export, without actually addressing it. It's not all that easy.

Actual APIs are a big swamp for me due to the number of languages to be
supported, and the fact that it simply isn't possible to do in general
without some kind of remoting involved.

So that leaves sockets and other mechanisms that involve a degree of work
and set up that I do not believe applications would be willing to take on
unless all the work was done for them, which gets us right back to the API
problem.

It's a possible enhancement, but it's definitely not a panacea to me.

-- Scott