Configure Service Provider Logout

Last updated: May 31, 2024
Audience: IT Staff / Technical

This guide shows how to configure logout for a Shibboleth Service Provider (SP).

Introduction – what does logout mean?

The concept of “logout” of a web site or application is more complex than it may seem when it involves single sign-on (SSO) by users accessing more than one site or application during a browsing session. From what is one “logging out”? Only from the site or application? From all sites that rely on the SSO session? All sites and applications?

Users have different intentions in clicking “logout” links and different expectations of the results. The only “log out of everything” mechanism is for the user to quit the browser, and clear the appropriate cookies. This ought to be the message to anyone attempting to log out, so they’re reminded to quit their browser if they’re finished browsing.

Shibboleth’s local logout method

Shibboleth supports a local logout method that clears the SP session and displays a basic “close your browser” message. It does not clear an application’s session, so it should be invoked after clearing the application’s session if one is maintained by the application.

If your SP relies only on the UW Identity Provider, you can configure a logout user experience wherein the SP session is cleared and the user is redirected to the IdP’s logout response page. This is described below. If your SP is federating identities from multiple IdPs you might configure local logout as described and send UW initiated users to it, and send other federated users the default SAML2 logout endpoint.

Configure logout to use Shibboleth’s local method

In your shibboleth2.xml edit the logout section to read:

<Logout>Local</Logout>

Note: I think this works out to be the default anyway.

Configure local logout to continue on to the IdP

In order to redirect to the UW IdP after logging out the Shibboleth SP session, edit the localLogout.html file. Add a meta refresh element after Content-Type:

<meta http-equiv="Refresh" content="0;URL=https://idp.u.washington.edu/idp/logout"/>

Send user to local logout url

To log a user out, send them to the SP’s local logout URL:

/Shibboleth.sso/Logout

Note: if your application maintains its own session in addition to the SP session, link your logout to something that clears the application session and then redirects to the SP’s local logout URL.

Send user to specific logout url

If you are allowing login from multiple IdPs you might want to redirect certain clients back to their own IdP’s logout page after ending the local Shibboleth SP session.  This requires some custom logic in your application’s “logout” function to send the user to the right logout endpoint with the appropriate querystring.

Start by defining a LogoutInitiator in shibboleth2.xml and pass the final destination as a querystring.  Your shibboleth2.xml will look something like this:

<sessions>
.....
<sso>...</sso>
....
<LogoutInitiator type="Local" Location="/SpecialLogout">
</LogoutInitiator>
</sessions>

(The documentation on LogoutInitiator is at:  https://wiki.shibboleth.net/confluence/x/AoFC )

For the actual logout you would have your custom code call:

…/Shibboleth.sso/SpecialLogout?return=<client-logout-URL>

See Also

Shibboleth Project’s NativeSPServiceLogout reference