...
CCC's Single Logout solution leverages the SSO Proxy GW and the proprietary SSO endpoints of the College Identity Providers to achieve single logout.
...
| Lucidchart | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Logout Flow
User Clicks Logout
The user clicks logout in the Service provider (i.e Common Assessment). Since all CCC Services use Spring Security SAML (CWF - Is this a valid assumption?)(PKN For Apps not using spring security, the will have to create custom logout code that accomplished the same thing), logging out in Spring Security will terminate both the SSO and application session. When logout is complete, the user will be directed to the new logout page in the SSO ProxyGW.
User lands on SSO
...
GW after Service Provider Logout
Call Logout endpoints for all known service providers
When the user lands on the SSO Proxy GW page, a series of embedded IFRAME requests will make REST call redirects to all known service provider endpoints. If the user is not actually logged into to an endpoint, the request will be ignored.
In a future enhancement, the SSO Proxy GW could keep track of of Service Providers the user has logged into, but this will required a longer SSO Session time in the SSO Proxy GW which could have a negative impact on SSO Proxy GW performance and cost due to the cost of caching session data for longer period of time. (CWF - The number of Service Providers is growing quickly, especially with the addition of Canvas and Hobsons SPs. I think the cost of caching these would be minimal compared to the downside of not doing so.)
Service Provider terminates SSO and Application session
When a Service Provider receives the logout request the application session and SSO session will be terminated. Since all CCC Applications will be using Spring Security SAML (CWF - Is this a valid assumption?), both SSO and application session termination will be handled by Spring Security SAML.
After the IFRAME requests to the Service Provider Logout endpoints, another IFRAME request will be issued to the proprietary logout endpoint of the IDP that initially authenticated the user (authsource).
SSO Proxy GW displays message to user to close the browser.
Because the SP and IDP logout request are made in embedded IFRAMES, the logout process will not be visible to the user. What is rendered is a message to the user to close there browser to ensure that they are fully logged out. (Actual text to follow)
Background
In a non-federated suite of applications where the applications and authentication mechanism is controlled by a single institution, logout is a simple requirement to implement.
...
- Will the user be using a shared workstation/kiosk where especially important that a previous user's session not be assessable accessible by a new user?
- At which college/district IDP did the user authenticate?
- If a user is logged into to multiple applications, does logging out of one application mean the user should be logged out of all applications? For example, if the user is logged into MyPath and Canvas, does logging out of MyPath also mean the user should be logged out of Canvas?
...
- The application containing the logout link (and SSO session if separate) terminating.
- All other Technology center applications (and SSO session if separate) terminating.
- The IDP (and ProxyGW?) session terminating.
- A final page instructing the user to close the browser.
...
- The application containing the logout link (and SSO session if separate) terminating.
- The IDP (and ProxyGW?) session terminating.
- A final page instructing the user to close the browser.
Reference
https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues
...