Tuesday 10 February 2009

Shibboleth2 signoff (kind of)

Sometimes someone asks for a signoff procedure for shibboleth. As well known, Single Sign Off it is not possible in shibboleth2.1.

It is possibile to configure a shibboleth2-sp to authenticate user each time asks for a resource, actually breaking single sign on. Just modify shibboleth2.xml by adding forceAuth="true":


<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
relayState="cookie" entityID="https://idp.test.com/idp/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1" template="/opt/shibboleth-sp/etc/shibboleth/bindingTemplate.html" forceAuthn="true"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator>


This configuration allows user to execute a local sign off which forces her to re-authenticate on the IdP without closing the browser.

Please note this setting is completely insecure, as the allegedly logged out user is actually still logged in on the IdP so can access other services with the former identity. It can be secure if a service is kiosked or a IdP is in charge to serve just one SP.