Australian Access Federation Support Desk

Logout

by Dean Nottingham Follow

The AAF and infact all SAML based federations do not currently support single logout. While on the surface this appears like an easy concept the reality is much more complex.

There is some useful reference documentation provided by the Shibboleth developers available here: https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues


While the support is not currently in the IdP there is some thoughts already on how applications might be adapted in the future to support SLO:
https://wiki.shibboleth.net/confluence/display/SHIB2/SLOWebappAdapt...

At this point we recommend setting a SP session timeout value that your security assessment is comfortable with along with providing a message to your users on a logout type page that the only way to fully end their session is to close their browser. The following defines numerous attributes you can tweak to meet your policies:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions

You might also find details provided by Brown University around their Shibboleth logout policies of interest.https://wiki.brown.edu/confluence/display/CISDOC/Shibboleth+and+App...

Have more questions? Submit a request

Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk