shibboleth logout functionality implemented

Fri, Feb 9, 2007

I was having some problems with the Guanxi IdP running in embedded mode in the Bodington VLE. What was happening was you could log in to Bodington and then automatically log in to mvnForum as I’d linked them together using the Guanxi IdP in Bodington and the Guanxi Guard in mvnForum. However, logging out of Bodington did not result in logging out of the embedded IdP.

The IdP was storing the GuanxiPrincipal in the session, which was different from the Bodington session. So although you’d logged out of Bodington you hadn’t logged out of the IdP. So the IdP would still dish out attributes for the previous user. Not good.

So to fix it I moved the GuanxiPrincipal handling to the servlet context and referenced it via a new IdP cookie and added a couple of static methods:

org.guanxi.sp.guard.Guard.deactivatePod(Pod pod)

org.guanxi.idp.SSO.logout(GuanxiPrincipal principal)

Then layered a couple of servlets on top of them to use from a browser:

http://localhost/protectedapp/guard.guanxiGuardlogout

http://localhost/guanxi_idp/logout

The two URLs are for users, to let them logout of the SP and IdP respectively. However, applications such as Bodington will use the low level APIs directly, to incorporate Shibboleth logout in their functionality.

comments powered by Disqus