Global Logout using in Shibboleth by deleting IDP cookie

4
votes

I have a product which authenticates using Shibboleth.

When a user initiates a logout on the website

  1. The web server sends a logout request to the Shibboleth SP.
  2. SP deletes the cookies post on getting the request.
  3. However if the user goes back to the website the login page is not prompted

For the configuration shown below I am using Shibboleth Service Provider given here https://www.testshib.org/install.html#SP. It is configured to use the testshib.org IdP details of which can be read here

Shibboleth Signout

I believe that the IdP is not deleting its session cookie and re-login the user on Step 3.

More on IdP Cookies:

This wiki-source states IdP uses two cookies _idp_authn_lc_key which is deleted after authentication. and the second is a session cookie '_idp_session' for which it states that :

Once a user has been authenticated they will have a long-lived session with the IdP which is tracked by a cookie named _idp_session. This cookie contains only information necessary for identifying the user's IdP session. This cookie is created as "session" cookie and will be removed when the browser chooses to remove such cookies (often when the browser is closed).

My question is

  • What changes do I need to make on the SP to request the IdP to delete the same and effectively create a GLOBAL LOGOUT ?
1
authenticationshibboleth
Look this wiki.shibboleth.net/confluence/display/SHIB2/…Michael
I've achieved what you want here by directing to my IdP's logout URL.Your IdP should provide that to you. I'm not sure if TestShib has one, or has any documentation on it. Edit: looks like TestShib doesn't provide any support for this.dperjar

1 Answers

2
votes

For what it's worth, you're going to have a very hard time forcing the IdP to log the user off. The cookie approach is an implementation detail, and not all IdPs use it, and it could change. Some IdPs may offer a logout URL, but honestly, it's potentially something bad for users (can you imagine if you could figure out a way to constantly deauthorize a user from not just your site, but their sessions with any other SPs?). You really only have control of your own sessions on the service provider.

Why not force re-authentication when your user returns / comes back to your SP? If they haven't been authenticated recently to the IdP after a visit (that's a field you get back from the SAML exchange), just send them back to the IdP again and pass the forced-reauth flag.

If you're using the Shibboleth software, it's even built in: https://wiki.cac.washington.edu/display/infra/Configure+a+Service+Provider+to+Force+Re-Authentication