1 260
szerkesztés
Módosítások
→Account linking: SAML2 Logout
{{ATTENTION_EN|Dynamic roles are roles based on server variables, not users. These may well be different on username/password logon and Shibboleth logon.
}}
=== Logging out ===
==== Session expiry ====
Enable the option "''Destroy Drupal session when the Shibboleth session expires''", if you want to force logout the users without a valid Shibboleth session. (This only applies to lazy sessions, otherwise it is the webserver what ensures that you have a valid session.)
{{INFO_EN|;Keep in mind if you leave this option off:
* if the Shibboleth session is lost, all the Shibboleth-derived attributes disappear, therefore the user loses the [[#Dynamic role assignment|assigned Shibboleth roles]]
** on the other hand, the roles assigned to the ''Drupal account of the user'' persist as long as the Drupal session is valid
* Shibboleth session might get lost if you use a clustered SP without a central session cache}}
==== URL to redirect to after logout ====
Define an URL here, where you want the user to be navigated after logout. The URL can be absolute or relative to the server base url. The relative paths will be automatically extended with the site base URL.
==== SAML2 Logout ====
At the moment, Shibboleth2 SP supports SAML2 logout while the Shibboleth2 IdP does not. It has a consequence that (if you have a standard Shibboleth2 installation), you will get a Shibboleth error message on logout, like this:
Global Logout
Status of Global Logout: Identity provider does not support SAML 2 Single Logout protocol.
You can avoid this message by commenting out SAML2 global logout initiator from <code>/Logout</code> handler in <code>/etc/shibboleth/shibboleth2.xml</code>:
<source lang="xml">
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
<!-- The following line should be commented out to make Drupal logout work,
as long as your IdPs do not support SAML2 logout -->
<!--LogoutInitiator type="SAML2" template="bindingTemplate.html"/-->
<LogoutInitiator type="Local"/>
</LogoutInitiator>
</source>
== Change log ==
