Drupal Shibboleth Logout

Question

We have used Shibboleth to authenticate users. It works great.

The issue is that after going to user/logout (and, I think, actually logging out), the user is immediately and automatically re-authenticated!

Any solutions come to mind?

Thanks!

Answer 1

This is a moderately complex issue, depending on what you want to achieve. The bad news is that according to people who should know, SingleLogOff basically doesn't work, because at the very least the local app might cache login information and there's no reliable way of telling everybody to log you out.

However, logging out of a Service Provider's specific session might be as easy as sending your user to https://yourhost/Shibboleth.sso/Logout?return=http://www.google.com which will destroy that session and redirect the user to the given URL.

To destroy the session with the IdP, you'd probably need a way to erase the _idp_session cookie set by the IdP, which is easy if you control the IdP and not if you don't. (The shibd SP does support telling the IdP to log out the IdP session, too, but the IdP doesn't.)

EDIT AFTER SHIB 3 RELEASE

Shibboleth 3 now support SLO.

Answer 2

Single logout does not work - don't bother looking for it; you can logout from the SP - but there is no real way to logout from the IdP's SSO chain.

The Shibboleth IdP is an SSO, it caches a cookies that overides any logout on the SP (the only way around this is to force users to authenticate at the SP, after an SP logout - a SAML config - this in effect means that the SP is no longer accepting SSO).

Killing the IdP cookies will only prevent future SSOs - it does not logout users from any pre-existing sessions.

The only way to truly logout in an SSO world is to kill the browser session (each browser type has different way).

There are so-call SLO agents - that attempt to go to each of the SPs visited, in an SSO sesson, to logout individually, and then kill the IdP session: this is simply not practical in an SSO environment where there a multiple SPs (it just takes 1 call to one SP to fail and you have an incompleted logout process).

Answer 3

@user353829 The only way to truly logout in an SSO world is to kill the browser session

Ok... thats partially true. In General SAML2 (which Shibboleth implements) provides a specification for Single Logout (page 32). The thing is, it's quite tricky to implement (read SLOIssues provided by @Ulrich Schwarz) and even worse in case of training your users to properly understand Global Logout (once again read SLOIssues carefully).

But if you are completly sure that you understand how SLO really works, then there is working implementation created by Hungarian Team.

I am currently testing it, I've successfully integrated it with my Facebook Login Module. and it works just great.

Just remember that, there is a reason why this Hungarian Module is not present in latest official Shibboleth releases.

Hope that helped