Feature Wiki

Information about planned and released features

Tabs

Shibboleth SAML Single Logout

Page Overview

[Hide]

1 Initial Problem
2 Conceptual Summary
3 User Interface Modifications
- 3.1 List of Affected Views
- 3.2 User Interface Details
- 3.3 New User Interface Concepts
4 Technical Information
5 Contact
6 Funding
7 Discussion
8 Implementation

If you need any help in filling out this wiki page, please visit our ILIAS Community FAQ.

1 Initial Problem

The Logout function with /logout.php?lang=de doesn't log out the Shibboleth user. After clicking "Logout", the "Logout"-Page appears, but the Shibboleth-Session is still active, and the User can access ILIAS without any password.

There is a SAML Single Logout Solution implemented (over 10 years ago by Lukas Hämmerle, SWITCH), but not yet active. If a user clicks "Logout", there is a local logout only. The Shibboleth-Session is still active.

The SAML Single Logout needs a special SP and IdP configuration, which is not in the SWITCHaai documentation, so we need a setting in the administration for this behavior.

2 Conceptual Summary

The Logout function with /logout.php?lang=de doesn't log out the Shibboleth user correctly. The logout destroys the ILIAS-Session, but not the Shibboleth-Session.

For this, we need a setting in the administration:
* Single Logout for Shibboleth

With this Setting activated, and a Shibboleth User is logged in, the Link "Logout" goes to: /Shibboleth.sso/Logout. All other Users (or with the Setting deactivated) the Link goes to: /logout.php

Details about this, you'll find in the README:
https://github.com/ILIAS-eLearning/ILIAS/blob/release_5-2/Services/AuthShibboleth/README.SHIBBOLETH.txt

3 User Interface Modifications

3.1 List of Affected Views

On the following Page, we need a Checkbox to activate Single Logout:

Administration -> Authentifizierung/Neuanmeldung -> Tab "Shibboleth" -> Submenu "Shibboleth-Einstellungen"

3.2 User Interface Details

We need one more text input file or checkbox:

SAML Single Logout

We need to check with the maintainer, if it's possible to read out the Logout-Path (e.g. /Shibboleth.sso/Logout) in the System, or if we need to enter the Path in the administration.
If the function is activated, Shibboleth-Users clicking on the Logout Link will get the correct Link to the Single Logout Service (eg. /Shibboleth/Logout). All other Users will get the normal ILIAS Logout Link

3.3 New User Interface Concepts

{If the proposal introduces any completely new user interface elements, please provide a link to separate feature wiki entries for each of them according to the kitchen sink template.}

4 Technical Information

{The maintainer has to provide necessary technical information, e.g. dependencies on other ILIAS components, necessary modifications in general services/architecture, potential security or performance issues.}

5 Contact

Author of the Request: Raimann, Marcel [raimann]
Maintainer: {Please add your name before applying for an initial workshop or a Jour Fixe meeting.}
Implementation of the feature is done by: {The maintainer must add the name of the implementing developer.}

6 Funding

If you are interest in funding this feature, please add your name and institution to this list.

7 Discussion

8 Implementation

{The maintainer has to give a description of the final implementation and add screenshots if possible.}

Test Cases

Test cases completed at {date} by {user}

{Test case number linked to Testrail} : {test case title}

Approval

Approved at {date} by {user}.

Last edited: 29. Mar 2017, 16:52, Raimann, Marcel [raimann]