Given that Single Logout is not enabled by default in Shibboleth (and is not on our IdP), what is the recommended Logout URL when setting up a Shibboleth (SAML) authentication provider? I initially just left it blank, but then users get an error message from Canvas when they logout. If I redirect them anywhere else, they end up at the new page but simply don't get logged out...
I have a somewhat related question. Our IdP metadata does not specify a SSO Logout URL. In the Canvas SAML configuration I have used the service page we have set-up for our institution's Canvas. The seems to work acceptably well, and from a user-experience perspective it is good. The problem is that the Logout URL will be replaced by a blank entry (every 24hrs) when Canvas reads our IdP metadata. A blank Logut URL can lead to errors for users when logging out. The only workaround is that I need to remove the entry for IdP metadata. This is not ideal since the Certificate Fingerprint will not get updated automatically when needed. Would like to know if others have found a better solution to this problem.
The underlying problem is the many (most?) Shibboleth IdPs don't have a global logout, so the only way to log out is to close the browser. We put up an global announcement telling users they need to close the browser and not use the logout button, but of course they don't read it...
We are giving the Canvas Admins area a little bit of love (especially questions that are really, really old) and just want to check in with you. This will also bring this question new attention.
Were you able to find an answer to your question? I am going to go ahead and mark this question as answered because there hasn't been any more activity in a while so I assume that you have the information that you need. If you still have a question about this or if you have information that you would like to share with the community, by all means, please do come back and leave a comment. Also, if this question has been answered by one of the previous replies, please feel free to mark that answer as correct.
I didn't really get any more information, but users have mostly gotten used to the idea that they need to close the browser now to log out completely.