Versions Compared

Old Version 11

changes.mady.by.user Parker Neff

Saved on

compared with

New Version 12

changes.mady.by.user Parker Neff

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In a federated SAML2 SSO environment, logging out of an application can be a complex problem based on all the SAML2 Service Providers and Identity Providers participating in a users SSO session.

SAML2 attempted to provide a standard for Single Logout (SLO), but it was never adopted by the SAML2 community due to the complex configuration required by Service and Identity Providers, and the large number of network hops required to carry out SLO across the federation.  Because of these issues, all major SAML2 identity providers including Shibboleth, PortalGuard and Ellucian provide proprietary SLO endpoints that greatly simplify the logout process. 

CCC's Single Logout solution leverages the SSO proxy and the proprietary SSO endpoints of the College Identity Providers to achieve single logout.


Lucidchart
autoSize1
macroId4066d2f8-2793-402e-94f5-1c4e8a9fafe3
pageCount1
instanceIdConfluence:9818787720
pages
width700
documentIda4ac769e-b638-4bf5-ba2c-02201ed82115
alignleft
typerich
updated1491865996101
height500



In a non-federated suite of applications where the applications and authentication mechanism is controlled by a single institution,  logout is a simple requirement to implement. 

In a federated SSO scenario, to implement logout functionality, the following must be answered:

  • Will the user be using a shared workstation/kiosk where especially important that a previous user's session not be assessable by a new user?
  • At which college/district IDP did the user authenticate?
  • If a user is logged into to multiple applications, does logging out of one application mean the user should be logged out of all applications?  For example, if the user is logged into MyPath and Canvas, does logging out of MyPath also mean the user should be logged out of Canvas?


The following article has a good explanation in the issues associated with logout in a federated environment.



For applications developed by the CCC Technology Center and its development partners, clicking the logout link in the application will result in:

  • The application containing the logout link (and SSO session if separate) terminating.
  • All other Technology center applications  (and SSO session if separate) terminating.
  • The IDP (Proxy?) session terminating.
  • A final page instructing the user to close the browser.


For applications not developed by CCC i.e. Canvas or Hobsons

  • The application containing the logout link (and SSO session if separate) terminating.
  • The IDP (Proxy?) session terminating.
  • A final page instructing the user to close the browser.


Reference

https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues

http://xacmlinfo.org/2013/06/28/how-saml2-single-logout-works/

https://www.portalguard.com/blog/2016/06/20/saml-single-logout-need-to-know/


https://saml-resources.cccmypath.org/resources/authsources_prod.json