Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

In a federated SAML2 SSO environment, logging out of an application can be a complex problem based on all the SAML2 Service Providers and Identity Providers participating in a users SSO session.

SAML2 attempted to provide a standard for Single Logout (SLO), but it was never adopted by the SAML2 community due to the complex configuration required by Service and Identity Providers, and the large number of network hops required to carry out SLO across the federation.  Because of these issues, all major SAML2 identity providers including Shibboleth, PortalGuard and Ellucian provide proprietary SLO endpoints that greatly simplify the logout process. 

CCC's Single Logout solution leverages the SSO proxy and the proprietary SSO endpoints of the College Identity Providers to achieve single logout.



Logout Flow

  1. User Clicks Logout
  2. Terminate Application Session
  3. Terminate Service Provider SSO Session
  4. 2. Call Logout Rest Endpoints for all known Service Providers


In a non-federated suite of applications where the applications and authentication mechanism is controlled by a single institution,  logout is a simple requirement to implement. 

In a federated SSO scenario, to implement logout functionality, the following must be answered:

  • Will the user be using a shared workstation/kiosk where especially important that a previous user's session not be assessable by a new user?
  • At which college/district IDP did the user authenticate?
  • If a user is logged into to multiple applications, does logging out of one application mean the user should be logged out of all applications?  For example, if the user is logged into MyPath and Canvas, does logging out of MyPath also mean the user should be logged out of Canvas?


The following article has a good explanation in the issues associated with logout in a federated environment.



For applications developed by the CCC Technology Center and its development partners, clicking the logout link in the application will result in:

  • The application containing the logout link (and SSO session if separate) terminating.
  • All other Technology center applications  (and SSO session if separate) terminating.
  • The IDP (Proxy?) session terminating.
  • A final page instructing the user to close the browser.


For applications not developed by CCC i.e. Canvas or Hobsons

  • The application containing the logout link (and SSO session if separate) terminating.
  • The IDP (Proxy?) session terminating.
  • A final page instructing the user to close the browser.


Reference

https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues

http://xacmlinfo.org/2013/06/28/how-saml2-single-logout-works/

https://www.portalguard.com/blog/2016/06/20/saml-single-logout-need-to-know/


https://saml-resources.cccmypath.org/resources/authsources_prod.json


  • No labels