„Single Logout in Shibboleth IdP” változatai közötti eltérés

Innen: KIFÜ Wiki
(UI customization)
(UI customization)
41. sor: 41. sor:
  
 
With javascript disabled, the timeout is not possible, so if one session participant fails to respond, the user gets stuck on the status page.
 
With javascript disabled, the timeout is not possible, so if one session participant fails to respond, the user gets stuck on the status page.
 
=== Logout status query ===
 
  
 
== Non-trivial settings ==
 
== Non-trivial settings ==

A lap 2009. augusztus 18., 10:47-kori változata

Features

  • Implements SAML2 Single Logout profile.
  • Highly customizable front-channel logout interface which leverages javascript and asynchronous operations in order to provide a clean, simple UI.
  • UI is usable with javascript disabled.
  • Supports SP name lookup via Organization elements in SAML metadata .
  • Fallback to back-channel logout if front-channel is not supported by the SP.
  • Supports Shibboleth SSO sessions (if the SP initiates sessions using Shibboleth1.3 protocol, but supports SAML2 logout).
  • Supports full back-channel operation.

UI customization

The UI is located in two JSP files:

  • sloQuestion.jsp the user chooses whether she wants to logout from all service providers or just from the provider where she came from.
  • sloController.jsp is the logout UI where every session participant and their corresponding logout status is shown. At the end of the logout process, the user is notified if the single logout was completed.

How it works

SLOServlet

The heart of the logout process is the SLOServlet. This servlet is responsible for these actions:

  • rendering the logout question and controller page
  • initiating front-channel or back-channel logout to one SP (SLOServlet?logout&entityID=...)
  • returning the logout status as a JSON string (SLOServlet?status)

With javascript

The controller renders a page where an iframe is placed for every active session participant. This iframe calls the SLOServlet?logout&entityID=... URL where the logout request is issued for the given session participant. If the request is front-channel, the iframe will make a front-channel SAML message exchange with the peer (using HTTP-Redirect or POST bindings).

The status of the single logout process is queried via asynchronous requests. The status response from SLOServlet is a JSON array. This JSON array contains one object with the entityID and logoutStatus properties for each session participant.

The logout status can be one of the followings:

  • LOGGED_IN: logout is not initiated for this participant yet.
  • LOGOUT_ATTEMPTED: logout was initiated.
  • LOGOUT_FAILED: logout failed.
  • LOGOUT_UNSUPPORTED: SAML2 logout is not supported by the participant (the metadata does not contain the necessary endpoints).

Status queries are issued using exponential backoff timing, until the timeout is reached. Please see the sloController.jsp for the exact timing used.

Without javascript

Controller renders an HTML page with <noscript> tags. There will be one link for each session participant, which link can initiate the logout process (see above for details). Depending on the current logout status, several other controls are enabled on the page:

  • Refresh button, which will reload the controller HTML with the current status icons.
  • Logout failed message when logout process was finished, and there was at least one failed session participant.
  • Logout succeeded message when logout process was finished, and all session participants completed the logout.

With javascript disabled, the timeout is not possible, so if one session participant fails to respond, the user gets stuck on the status page.

Non-trivial settings

  • SP certificate
    • Sign back-channel messages
  • SessionNotOnOrAfter

Required changes in IdP API

Name identifier caching in IdP session

In the LogoutRequest the IdP must reference the current user's name identifier. This name identifier is issued as part of the SSO process. In order to efficiently retrieve this information, the IdP should cache the name identifier in the IdP session information object.

Associated ticket: SIDP-336

Session indexing

On receiving a LogoutRequest from a session participant, the IdP must be able to retrieve the IdP session associated with the principal. Session participants use the issued name identifier to identify the principal. The IdP session object can be indexed (and then retrieved of course) by any arbitrary unique key, so we use the name identifier value to index the session.

Associated ticket: SIDP-338

Missing features

  • Administrative logout
  • IdP-initiated logout