SAML IDP Logout and Cookies

By: ved singh user 10 Jul 2017 at 10:54 p.m. CDT

4 Responses
ved singh gravatar
Hi, Use case here is to perform SP-initiated SAML Single Logout and I was going over the documentation here: https://gluu.org/docs/ce/operation/logout/#saml-logout Im bit confused as it says "The logout URI for SAML SP is https://<hostname of Gluu Server>/idp/logout.jsp. Calling this URL within Gluu Server kills the session inside Gluu Server." My confusion is, invoking this url, kill's Shibboleth IDP session or Shibboleth SP session ? If it kills IDP session then why it doesn't delete these cookies - shib_idp_session_ss and shib_idp_session ? Does the application(SP website) has to delete these cookies? Thanks.
CentOS72
closed

Answers

By Mohib Zico Account Admin 11 Jul 2017 at 2:14 a.m. CDT

Copy
Mohib Zico gravatar
>> My confusion is, invoking this url, kill's Shibboleth IDP session or Shibboleth SP session ? IDP session. >> If it kills IDP session then why it doesn't delete these cookies - shib_idp_session_ss and shib_idp_session ? I am exactly not sure how we are using them in our Gluu server as we are managing session with our oxAuth ( the OpenID Connect of Gluu Server ). >> Does the application(SP website) has to delete these cookies? In current scenario, SP must have to initiate some session-killing operation from it's side; or SP can implement a 'Force Re-Authentication' from that side as well.

By ved singh user 11 Jul 2017 at 10:30 p.m. CDT

Copy
ved singh gravatar
So what I understand is,we have two session 1) Gluu server session 2) User IDP session So,let me phrase my query in another way. When user logs in IDP, the authentication information is stored in cookies in the user's browser. This cookie is nothing but an identifier to user IDP session.In ideal world, if the cookie is present in browser then there exists an IDP session of that user and if the cookie is absent then the user IDP session has expired. Which is that cookie ? AFAIK, Shibboleth IDP uses uese shib_idp_session_ss and shib_idp_session, but you said Gluu is not useing that. So, if I want to check for existence of cookie in http request, which one i should be looking for ? Extending my understanding further, I guess,the user + session information is cryptographically encoded within the cookie and there is no corresponding "authenticated server session" (which means there is no need for session replication in clustered env - LDAP replication is only for replicating user info + config data and not authentication session info) Is my thought correct? Appreciate all your help and directions.

By Mohib Zico Account Admin 12 Jul 2017 at 1:31 a.m. CDT

Copy
Mohib Zico gravatar
Please pardon me but what's your actual question? I mean... are you facing any issue anywhere? Or, are you planning to implement logout by yourself?

By William Lowe user 12 Jul 2017 at 10:15 a.m. CDT

Copy
William Lowe gravatar
Hi Ved, We want to see the community be successful with their projects, but we don't have the bandwidth for high level consultations in community support. If you need more high level support for questions like the above, I encourage you to purchase a support plan. I'm closing this ticket for now. Thanks, Will

Post an answer