Single Log Out (SLO) is a concept parallel to the Single Sign On (SSO) concept: if a user can seamlessly establish sessions with a number of services, there should also be a way to seamlessly terminate such sessions.

However, there is a number of gotchas in SLO - including issues like temporarily unreachable services, and terminating application-level sessions derived from the original session.  Please refer to the upstream Shibboleth Project documentation on SLO Issues for further information.

The Shibboleth IdP (versions 2.4.0+) supports at least a minimalist SLO implementation:

  • It is possible to terminate the session at the IdP, so that no further SP sessions can be established.
  • It is possible to initiate logout at an SP where the user has a current session.  The SP can send an SLO message to the IdP and terminate the session there as well.
  • However, the IdP will not be propagating the SLO to any additional SPs.
  • By default, the SLO message from the SP to the IdP is asynchronous and the flow ends at the IdP Logout page.
  • The IdP Logout page displays the list of SPs the user has accessed from within this IdP session - and informs the user that the only secure way to close all sessions is to close the browser window.
  • It is also possible to do a synchronous SP to IdP SLO flow that redirects back to the SP, where the SP can either display a message confirming the SP and IdP sessions have been terminated, or can redirect the user to an application-level page confirming the successful logout.

Nonetheless, except for the case where the user has established a session with only one SP where the session (including application-level if used) has been successfully terminated, the only reliable way to close all sessions is to close the browser window.  Details on this minimalist implementation are available at https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableSLO.

SLO configuration on a Service Provider

No configuration is necessary and on Shibboleth SP implementations version 2.5.0+, SLO works out of the box.

The only work required for basic functionality to work is adding a Logout button to the application pointing to the initiator (see the section on Initiating Single Logout below).

The only configuration work to be done would be tweaking the Logout Initiator for advanced deployment scenarios:

Both of these can be set as attributes on the <Logout> element in /etc/shibboleth/shibboleth2.xml. They get passed as attributes to the SAML2 LogoutInitiator that gets created by the Logout element.  The fully unfolded configuration with settings identical to default is:

 <Logout asynchronous="true" outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST urn:oasis:names:tc:SAML:2.0:bindings:SOAP">SAML2 Local</Logout>

For further information, please see the following documentation from the Shibboleth Project wiki:

SLO configuration on an Identity Provider

Please see the relevant section in the IdP installation manual.

Please note that if the above steps have NOT been done for an IdP, then:

Initiating Single Logout