...
CCC's Single Logout solution leverages the SSO Gateway (GW) and the proprietary SSO endpoints of the College Identity Providers to achieve single logout.
...
| Lucidchart | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Logout Flow
User Clicks Logout
The user clicks logout in the Service provider (i.e Common Assessment). Since all CCC Services use Spring Security SAML (CWF - Is this a valid assumption?)(PKN For Apps not using spring security, the will have to create custom logout code that accomplished the same thing), logging out in Spring Security will terminate both the SSO and application session. When logout is complete, the user will be directed to the new logout page in the SSO GW.
User lands on SSO GW after Service Provider Logout
Call Logout endpoints for all known service providers
When the user lands on the SSO GW page, a series of embedded IFRAME requests will make REST call redirects to all known service provider endpoints. If the user is not actually logged into to an endpoint, the request will be ignored.
In a future enhancement, the SSO GW could keep track of of Service Providers the user has logged into, but this will required a longer SSO Session time in the SSO GW which could have a negative impact on SSO GW performance and cost due to the cost of caching session data for longer period of time. (CWF - The number of Service Providers is growing quickly, especially with the addition of Canvas and Hobsons SPs. I think the cost of caching these would be minimal compared to the downside of not doing so.)
Service Provider terminates SSO and Application session
When a Service Provider receives the logout request the application session and SSO session will be terminated. Since all CCC Applications will be using Spring Security SAML (CWF - Is this a valid assumption?), both SSO and application session termination will be handled by Spring Security SAML.
...
Because the SP and IDP logout request are made in embedded IFRAMES, the logout process will not be visible to the user. What is rendered is a message to the user to close there browser to ensure that they are fully logged out. (Actual text to follow)
Background
In a non-federated suite of applications where the applications and authentication mechanism is controlled by a single institution, logout is a simple requirement to implement.
...
- The application containing the logout link (and SSO session if separate) terminating.
- The IDP (and GW?) session terminating.
- A final page instructing the user to close the browser.
Reference
https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues
...