Etienne Dysli-Metref
etienne.dysli-metref@switch.ch
There are new sessions opened everywhere!
Nowadays, closing the browser is not enough to clear session cookies (Firefox session restore).
Maybe at some point there will be a GUI in the IdP for administrative logout.
Not showing configuration details but they are here for reference.
/idp/profile/Logout
with session cookie/Shibboleth.sso/Logout
/Shibboleth.sso/Logout
idp.session.trackSPSessions = true
[false]
idp.session.secondaryServiceIndex = true
[false]
Reference: LogoutConfiguration
idp.logout.elaboration = true
[false]
idp.session.defaultSPlifetime = PT2H
[PT2H]
idp.session.slop = PT0S
[PT0S]
idp.logout.authenticated = true
[true]
Publish SingleLogoutService
endpoints in metadata
Add “SAML2” inside the Logout
element (in shibboleth2.xml
)
<Logout>SAML2 Local</Logout>
Reference: NativeSPServiceLogout
Add a Notify
element (in shibboleth2.xml
)
<Notify Channel="front" Location="https://sp.example.org/app/logout-notify"/>
and program your application to respond at the given URL
References: NativeSPNotify, SLOWebappAdaptation
Publish SingleLogoutService
endpoints in metadata
--- system/flows/logout/logout-flow.xml 2016/01/20 19:57:55 8080+++ system/flows/logout/logout-flow.xml 2016/04/01 14:23:58 8190@@ -73,7 +73,7 @@ <view-state id="LogoutView" view="logout">- <on-entry>+ <on-render> <evaluate expression="WriteAuditLog" /> <evaluate expression="environment" result="viewScope.environment" /> <evaluate expression="opensamlProfileRequestContext" result="viewScope.profileRequestContext" />@3,7 +83,7 @@ <evaluate expression="flowRequestContext.getExternalContext().getNativeRequest()" result="viewScope.request" /> <evaluate expression="flowRequestContext.getExternalContext().getNativeResponse()" result="viewScope.response" /> <evaluate expression="flowRequestContext.getActiveFlow().getApplicationContext().containsBean('shibboleth.CustomViewContext') ? flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.CustomViewContext') : null" result="viewScope.custom" />- </on-entry>+ </on-render> <transition on="proceed" to="LogoutCompleteView" /> <transition on="end" to="LogoutCompleteView" /> <transition on="propagate" to="LogoutPropagateView" />
original diff from svn.shibboleth.net
--- system/flows/logout/propagation/cas-flow.xml 2015/10/14 15:50:01 7822+++ system/flows/logout/propagation/cas-flow.xml 2016/04/01 14:23:58 8190@@ -3,12 +3,12 @@ xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"> <view-state id="ShowServiceLogoutView" view="cas/logoutService">- <on-entry>+ <on-render> <set name="viewScope.logoutPropCtx" value="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.session.context.LogoutPropagationContext))" /> <set name="viewScope.messageID" value="T(java.util.UUID).randomUUID()" /> <set name="viewScope.issueInstant" value="DateFormatter.print(T(org.joda.time.DateTime).now())" />- </on-entry>+ </on-render> <transition on="proceed" to="proceed" /> </view-state>
original diff from svn.shibboleth.net
--- views/logout.vm 2016/01/05 12:57:59 8067+++ views/logout.vm 2016/02/18 17:39:36 8095@@ -65,10 +65,8 @@ </ol> #else <p><strong>#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")</strong></p>-<!-- If SAML logout with no extra work to do, complete the flow by adding a hidden iframe. -->-#if ( $profileRequestContext.getProfileId().contains("saml2/logout") )-<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed">-#end+<!-- Complete the flow by adding a hidden iframe. -->+<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe> #end </div>
original diff from svn.shibboleth.net
--- views/logout-complete.vm 2015/10/28 16:17:35 7896+++ views/logout-complete.vm 2016/02/18 17:39:36 8095@@ -44,7 +44,7 @@ <!-- If SAML logout, complete the flow by adding a hidden iframe. --> #if ( $profileRequestContext.getProfileId().contains("saml2/logout") )-<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed">+<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe> #end <footer>
original diff from svn.shibboleth.net
--- system/views/logout/propagate.vm 2015/11/06 20:22:32 7958+++ system/views/logout/propagate.vm 2016/02/18 17:39:36 8095@@ -99,5 +99,5 @@ <!-- If SAML logout, complete the flow by adding a hidden iframe. --> #if ( $profileRequestContext.getProfileId().contains("saml2/logout") )-<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed">+<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe> #end
original diff from svn.shibboleth.net
There are new sessions opened everywhere!
Keyboard shortcuts
↑, ←, Pg Up, k | Go to previous slide |
↓, →, Pg Dn, Space, j | Go to next slide |
Home | Go to first slide |
End | Go to last slide |
b / m / f | Toggle blackout / mirrored / fullscreen mode |
c | Clone slideshow |
p | Toggle presenter mode |
t | Restart the presentation timer |
?, h | Toggle this help |
Esc | Back to slideshow |