Single Logout in Shibboleth IdP

Innen: KIFÜ Wiki
A lap korábbi változatát látod, amilyen Hege(AT)niif.hu (vitalap | szerkesztései) 2009. augusztus 18., 11:00-kor történt szerkesztése után volt. (Required changes in IdP API)

Features

Front-channel logout

Use of metadata

Javascript-less operation

Back-channel logout

Misc

  • Fallback to back-channel logout if front-channel is not supported per metadata
  • Support Shibboleth SSO sessions

Non-trivial settings

  • SP certificate
    • Sign back-channel messages
  • SessionNotOnOrAfter

Required changes in IdP API

Name identifier caching in IdP session

In the LogoutRequest the IdP must reference the current user's name identifier. This name identifier is issued as part of the SSO process. In order to efficiently retrieve this information, the IdP should cache the name identifier in the IdP session information object.

Associated ticket: SIDP-336

Session indexing

On receiving a LogoutRequest from a session participant, the IdP must be able to retrieve the IdP session associated with the principal. Session participants use the issued name identifier to identify the principal. The IdP session object can be indexed (and then retrieved of course) by any arbitrary unique key, so we use the name identifier value to index the session.

Associated ticket: SIDP-338

Missing features

  • Administrative logout
  • IdP-initiated logout
A lap eredeti címe: „https://wiki.niif.hu/index.php?title=Single_Logout_in_Shibboleth_IdP&oldid=1068