„Single Logout in Shibboleth IdP” változatai közötti eltérés

Features

• Implements SAML2 Single Logout profile.
• Highly customizable front-channel logout interface which leverages javascript and asynchronous operations in order to provide a clean, simple UI.
• UI is usable with javascript disabled.
• Supports SP name lookup via Organization elements in SAML metadata .
• Fallback to back-channel logout if front-channel is not supported by the SP.
• Supports Shibboleth SSO sessions (if the SP initiates sessions using Shibboleth1.3 protocol, but supports SAML2 logout).
• Supports full back-channel operation.

UI customization

Non-trivial settings

• SP certificate
  • Sign back-channel messages
• SessionNotOnOrAfter

Required changes in IdP API

Name identifier caching in IdP session

In the LogoutRequest the IdP must reference the current user's name identifier. This name identifier is issued as part of the SSO process. In order to efficiently retrieve this information, the IdP should cache the name identifier in the IdP session information object.

Associated ticket: SIDP-336

Session indexing

On receiving a LogoutRequest from a session participant, the IdP must be able to retrieve the IdP session associated with the principal. Session participants use the issued name identifier to identify the principal. The IdP session object can be indexed (and then retrieved of course) by any arbitrary unique key, so we use the name identifier value to index the session.

Associated ticket: SIDP-338

Missing features

• Administrative logout
• IdP-initiated logout