I’m looking for some help with a sign-out problem.
I’ve a service provider application hosted on azure that’s connecting to an external Shibboleth IdP. The SSO requests seem to be working fine, but when I try to initiate a SLO, all the responses seem to be right, but it’s as though the IdP just doesn’t terminate the session.
When a user clicks the logout button, the following things occur
I destroy the user session
I call InitiateSLO
I receive a response from the IdP
I thend redirect the user to the site root
I check if the user session is active (it isn’t)
I send an InitiateSSO request to the IdP (expecting to be redirected to the IdP login page)
The IdP returns an SSO response with the authenticated user (erroneously)
The user then returns to the default site page as if they’d never clicked logout
I’m not sure if there’s an easy way to debug this, all the right messages seems to be being sent - I don’t have access to the IdP, so I can’t tell what’s going on at their end. I’ve found that their idp offers a sort of hard ‘logout’ url that seems to kill the session, but I’d like to stay within the regular SAML message chain if I can.
Any advice would be appreciated.
Thank you,
I’m not sure if Shibboleth fully supports SAML single logout. There was a time when it didn’t and I’m not sure if that’s changed.
Please refer to the following article.
https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues
I suggest contacting the external IdP to confirm whether or not they support SLO and, if they do, that your configuration is correct.
You’re welcome to enable SAML trace and send the generated log file as an email attachment to our support.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Please mention this forum post.