Discussion:
logout concerns
lalithj
2014-08-14 05:24:44 UTC
Permalink
Hi All,

We got • Shibboleth IdP version 2.3.8 running in production, we got various
third part SPs integrated.


So far we have not done any tasks on logout features on behalf of SPs,

Now some SPs are questioning on the behaviour of the logout feature,

Is there a IdP logout URL, which we can provide to SPs,

Currently our IdP is hooked to CAS, and not doing a clean logout expect
everyone to close all the browser instances.

Let me provide some instruction links to achieve above

Thanks





--
View this message in context: http://shibboleth.1660669.n2.nabble.com/logout-concerns-tp7605491.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
--
To unsubscribe from this list send an email to users-unsubscri
Cantor, Scott
2014-08-14 13:36:23 UTC
Permalink
Post by lalithj
Let me provide some instruction links to achieve above
Shibboleth, and in fact the web, does not support logout. [1] The poor
substitute included in 2.4.x, which you are not running, is described at
[2].

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues
[2] https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableSLO
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Andrew Morgan
2014-08-14 17:25:17 UTC
Permalink
Post by lalithj
Hi All,
We got • Shibboleth IdP version 2.3.8 running in production, we got various
third part SPs integrated.
So far we have not done any tasks on logout features on behalf of SPs,
Now some SPs are questioning on the behaviour of the logout feature,
Is there a IdP logout URL, which we can provide to SPs,
Currently our IdP is hooked to CAS, and not doing a clean logout expect
everyone to close all the browser instances.
Let me provide some instruction links to achieve above
I hope you're not trying to perform Single Log-Out (SLO). By that, I mean
that you want a logout at the IdP to also logout of all SPs. As other
people will tell you, that's a hopeless dream.

However, if you just want to provide a URL that will cause a logout at the
IdP and CAS, then that is possible. We do that here with a logout.jsp
file that we insert into the Shibboleth WAR file
(shibboleth-identityprovider-2.4.0/src/main/webapp/logout.jsp) before we
build/install the WAR.

logout.jsp contains:

<%
Cookie c;

c = new Cookie("_idp_session", null);
c.setPath("/idp-dev");
c.setMaxAge(0);
c.setSecure(true);
response.addCookie(c);

c = new Cookie("JSESSIONID", null);
c.setPath("/idp-dev");
c.setMaxAge(0);
c.setSecure(true);
response.addCookie(c);

session.invalidate();
response.sendRedirect("https://login.oregonstate.edu/cas-dev/logout");
%>



As you can see, this deletes the 2 IdP cookies and then redirects the
browser to the CAS logout page.

We are not using the shib-cas-authenticator here (yet), so this logout
process may be different if you are integrating CAS with Shibboleth using
shib-cas-authenticator.

Andy
Cantor, Scott
2014-08-14 17:27:40 UTC
Permalink
Post by Andrew Morgan
However, if you just want to provide a URL that will cause a logout at the
IdP and CAS, then that is possible. We do that here with a logout.jsp
file that we insert into the Shibboleth WAR file
(shibboleth-identityprovider-2.4.0/src/main/webapp/logout.jsp) before we
build/install the WAR.
You can do all that with 2.4.0 alone, that's what the handler built-in to
the IdP is designed for. FWIW.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Andrew Morgan
2014-08-14 17:56:02 UTC
Permalink
Post by Cantor, Scott
Post by Andrew Morgan
However, if you just want to provide a URL that will cause a logout at the
IdP and CAS, then that is possible. We do that here with a logout.jsp
file that we insert into the Shibboleth WAR file
(shibboleth-identityprovider-2.4.0/src/main/webapp/logout.jsp) before we
build/install the WAR.
You can do all that with 2.4.0 alone, that's what the handler built-in to
the IdP is designed for. FWIW.
Are you referring to the stock logout.jsp in 2.4.0? I haven't looked at
that file for a while. How does it know to redirect to CAS' logout?

Andy
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-08-14 18:03:23 UTC
Permalink
Post by Andrew Morgan
Are you referring to the stock logout.jsp in 2.4.0? I haven't looked at
that file for a while. How does it know to redirect to CAS' logout?
I'm referring to the endpoint(s) in the IdP described on the IdPEnableSLO
page, which under the appropriate conditions end up at whatever template
you want to provide and can do whatever you want them to do.

Your version in particular doesn't remove the IdP session, and depends on
the names of cookies that are not part of the public interface.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
lalithj
2014-08-15 00:12:13 UTC
Permalink
Yes,

You are correct, I am not planning to do SLO

Just want to provide a URL that will cause a logout at the
IdP and CAS

The thing is we got only IdP 2.3.8, Any issue with that version

Also curious how these are facilitated in IdP 2.4 which we don't have at the
moment





--
View this message in context: http://shibboleth.1660669.n2.nabble.com/logout-concerns-tp7605491p7605529.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-08-15 00:14:45 UTC
Permalink
Post by lalithj
The thing is we got only IdP 2.3.8, Any issue with that version
Upgrading to 2.4.0 is less work than anything involving 2.3.8 and logout.
Not to mention you'd be running a supported version.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Andrew Morgan
2014-08-15 00:40:03 UTC
Permalink
Post by Cantor, Scott
Post by lalithj
The thing is we got only IdP 2.3.8, Any issue with that version
Upgrading to 2.4.0 is less work than anything involving 2.3.8 and logout.
Not to mention you'd be running a supported version.
Scott is right that upgrading from 2.3.8 to 2.4.0 will be pretty easy.
However, you could also create the logout.jsp file as I sent you earlier
and drop that into your WAR. Then "publish" that as your logout URL.

Maybe that's not ideal if you'll just be changing it in the future to the
2.4.0 logout though...

In this case, there are several ways to accomplish what you want. Pick
whatever works for you. :)

Andy
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
lalithj
2014-08-15 02:11:42 UTC
Permalink
Thanks,

For now, I would like to keep the same version and drop the logout.jsp as
suggested,

In addition to dropping the logout file, do I have to do any other config
changes.

What is meant by "publish" as logout URL, what are the steps involved.

Also considering CAS authenticator in place, You have that setup as well.

After this, I will pass this URL to our SPs

Thanks



--
View this message in context: http://shibboleth.1660669.n2.nabble.com/logout-concerns-tp7605491p7605536.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Andrew Morgan
2014-08-15 17:15:31 UTC
Permalink
Post by lalithj
Thanks,
For now, I would like to keep the same version and drop the logout.jsp as
suggested,
In addition to dropping the logout file, do I have to do any other config
changes.
I didn't make any other Shibboleth changes. This doesn't really integrate
with Shibboleth (like the 2.4.0 Logout stuff does). It just deletes the
cookies and redirects to CAS.
Post by lalithj
What is meant by "publish" as logout URL, what are the steps involved.
Just let people know that this is your logout URL, so they can provide a
link in their SP application.
Post by lalithj
Also considering CAS authenticator in place, You have that setup as well.
After this, I will pass this URL to our SPs
Thanks
Andy
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
lalithj
2014-08-19 04:23:17 UTC
Permalink
Thanks Andrew

This is what we are going to try out first,

Also would like to know migration path to 2.4 from 2.3

any URL with instructions?



--
View this message in context: http://shibboleth.1660669.n2.nabble.com/logout-concerns-tp7605491p7605685.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-08-19 13:55:20 UTC
Permalink
Post by lalithj
Also would like to know migration path to 2.4 from 2.3
You unpack it, run install.sh, and restart. On a dev server first of
course. If that doesn't work for any 2.x update, then there's a bug in the
software.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...