Shibboleth Developers

[Paul Hethmon <>]

On 4/1/10 9:17 AM, "Chad La Joie " 
<>
 wrote:

>> In my case, because of bad user habits, its not doing the right thing and
>> I've got to change it in some way. A quick test shows that I can null out
>> the IdP session object in the http request and get what I need. That just
>> leaves lingering doubts on whether that's the right way.
> 
> Sorry, but this is complete bollocks.  There is no technical solution to
> bad user habits.  Logout doesn't work.  We've said that again and again
> and to date every person who has tried to make it work just ends up
> proving the point.  The SLO plugin produced for Shib and the SLO
> features of other products, all of which claim to work, do in fact work
> as long as nothing ever goes wrong.  But again, that's not reality.

In this case, not even trying to use SLO. The users "logout" of their
session with the SP and leave the browser open for the next person who sits
down at the community computer. I would certainly like to force them to
close the browser, but with IE, that's easier said than done. The user can
"close" their window but leave the process still running and maintaining the
sessions.

For me, whether wrong or right, my users only ever have a single principal
name. So for now I'll go the route of explicitly nulling out the IdP session
information in my login servlet. I'm sure it will bite me later.

thanks,

Paul