wiki:SPLogout
Last modified 11 years ago Last modified on 06/24/14 10:08:55

This is a prototype SP logout landing page. Each Service is responsible for logging out users from that service and should delete the user's session cookie. But it is trivial to use the SSO cookie to log back into that service or another in the same security domain. To prevent such behavior (a high risk / high security application or a need to log into the same service as a different user) the SP can re-direct the browser to a page like this that offers the opportunity to end the SSO session. The SP could also directly use the link behind the "End My Current SSO Session", removing the option from the user. Despite these measures, it is still important for users to quit the browser (see the discussion below).

You have been logged out of {the Application or Service that re-directed you here}.

You can log in again by returning to that service's location.

Your current Single-Sign-On (SSO) session is still active

An SSO session was established when you entered your credentials at UA. SSO enables you to authenticate to (log in to) this and other sites that rely on UA's privacy-preserving SSO (those services never see your password). Examples of such SSO-enabled services at UA are listed here.

Removing Your Single-Sign-On session

You can end your SSO session by clicking on the link below; this will force authentication (require entry of credentials) for subsequent services that would otherwise rely on your existing SSO session. Removing your SSO session does NOT log you out of any services to which you are currently authenticated.

End My Current UA SSO Session

Risks of data cached in your browser:

If the computer/tablet/phone you are using is shared with others, and you wish to limit the risk that others will be able to view or use information that may be cached in your web browser, you can reduce (but not eliminate) such risk by the following practices.

  • Use browsers' "private browsing" option to limit sharing or storing information outside the browser window.
  • Explicitly log out of all web sites; do not rely solely on closing the browser or browser window.
  • Never take up the browser's suggestion to save passwords or "remember me," as that may enable others to log in as you!
  • Explicitly clear the cookies and caches in your browser: brief directions for common browsers are here.

Help for service owners crafting logout from their application

You can craft a URL like the following in your application.

https://yourapp.yourdomain.net/Shibboleth.sso/Logout?return=http://iam.alaska.edu/trac/wiki/SPLogout

Obviously you must take care of cleanup within your application - closing files, saving changes and the like. Then redirect the users browser as in the link above. If your Shibboleth SP is close to the default, replace "yourapp.yourdomain.edu" with the URL of your application; you can build your own logout page to inform users they have logged out of the application but still have an SSO session, providing them a link similar to the "End My Current UA SSO Session" link above.

Here is an example that logs you out of this iam wiki:

https://iam.alaska.edu/Shibboleth.sso/Logout?return=http://iam.alaska.edu/trac/wiki/IAMwikiSPLogout

Note that the user may still have OTHER sessions active; removing the session with your application and the SSO session will not in itself log users out of current sessions with other applications.