Shibboleth Single Sign Out

0
votes

I'm using shibboleth authentication in my application, and when user clicks Logout button, he will be directed to the ~/Shibboleth.sso/Logout link, it seems like a success when button clicked, but if I try to login using shibboleth one more time, it will not redirect to the Shibboleth Login page! instead it shows the previously logged on user (that I've logged out). So session seems to be persistent even after logout! But if before signing in again, I closed my browser, the user is redirected normally to the Shibboleth Login page. So it seems like a session state or cookie problem! I've used the following code to solve it:

if (Request.Cookies["shibsession"] != null)
                {
                    HttpCookie myCookie = new HttpCookie("shibsession");
                    myCookie.Expires = DateTime.Now.AddDays(-1);
                    Response.Cookies.Add(myCookie);
                }
                Response.Redirect("~/Shibboleth.sso/Logout");

But it's not working! Can any one help?

1
asp.net-mvcsingle-sign-onshibboleth

1 Answers

1
votes

The URL Shibboleth.sso/Logout hit at Service Provider has no control over the IdP's session, nor could it. It can send SAML logout requests, or issue proprietary redirects.

Best practice: Logout handler should be handled by Identity provider.

Closing browser is only option after doing logout. Logout doesn't work at scale and it never will unless the browser vendors cooperate and just do it themselves. So you could assume that closing the browser is the only option and that still requires clearing cookies on latest browsers Chrome or Firefox.