Skip to Content.
Sympa Menu

shibboleth-dev - RE: single-log-out "forecasting"

Subject: Shibboleth Developers

List archive

RE: single-log-out "forecasting"


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: single-log-out "forecasting"
  • Date: Mon, 10 Mar 2008 13:11:06 -0400
  • Organization: The Ohio State University

> the more I look for single-log-out solutions tested and
> properly-working with shibboleth, the more I find out
> * dated documents saying that shib2 will support SAML2.0 single logout
> specifications and
> * recent documents/posts saying it won't be supported before the first
> official release.

SP does, IdP doesn't. By "does", I just mean there's lots of barely tested
code to do SLO and do application notifications and all kinds of barely
documented things. We got it to work with, I think, Ping's IdP a long while
back, but since the developers can't test other products and very few people
have done significant testing of that nature, there isn't much I can say.
Testing SLO is almost always artificial and doesn't address the problem of
what users do vs. what people like to pretend they do.

> Making use of an external SSO mechanism (pubcookie, CAS, etc) would
> result in a more difficult to deploy/maintain architecture whereas we
> chose shibboleth to simplify federations' resources management.
> Can you make any prediction for a shibboleth-only solution?

I don't see any connection between SLO and using an external SSO other than
it will in most cases make SLO harder, not easier. In some cases impossible.

> Based on your experience and thinking about this inherently complex
> problem, how long could it take for a completely coded software to
> become a (almost-)fully-functional one?

I expect the initial SP release to be full of SLO bugs. If it works well by
the second point release, I'd be satisfied.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page