Hello, This is the role of any SSO to make you authenticate everytime you access a ressource. So when you click on Logout, it sends your credentials again and keep you loggued in. So it depends greatly on the type of your SSO, but for example for CAS, the only way would be to experiment Single Sign Out (which was experimental last time I looked to it). The main problem is that the mod_cas for Apache doesn't have the ability to destroy the SSO cookie, which would be a 100% sure way to log you out. What SSO have you implemented? Guillaume 2014-07-01 20:13 GMT+02:00 Brockmeier, Chris S <chris.s.brockmeier(a)lmco.com> :

This logout is going to kill me! :) Anyways, in my SSO Authenticator, I override the getAuth() function and I'm currently looking for "logout" in the URI, if so I go ahead and invalidate the session and remove the weblogic jsessionId cookie. Once the redirect occurs it appears that it obtains the original user along with his credentials. It appears that absolutely nothing happens. Any ideas? Thanks, Chris. -----Original Message----- From: users [mailto:users-bounces@xwiki.org] On Behalf Of Brockmeier, Chris S Sent: Tuesday, July 01, 2014 3:28 PM To: XWiki Users Subject: Re: [xwiki-users] EXTERNAL: Re: Xwiki Logout We are authenticating against LDAP. When we login via our product (which is run on weblogic) and then go to xwiki we are logged in and everything looks good, we can log out from our application and the xwiki again looks good. Except there is a backdoor, where the user can go to xwiki and login directly w/o going through our product first. At that point, if the user then tries to logout via the xwiki button, nothing really happens besides the logs filling up with errors. Does this help? -----Original Message----- From: users [mailto:users-bounces@xwiki.org] On Behalf Of Guillaume Fenollar Sent: Tuesday, July 01, 2014 1:59 PM To: XWiki Users Subject: EXTERNAL: Re: [xwiki-users] Xwiki Logout Hello, This is the role of any SSO to make you authenticate everytime you access a ressource. So when you click on Logout, it sends your credentials again and keep you loggued in. So it depends greatly on the type of your SSO, but for example for CAS, the only way would be to experiment Single Sign Out (which was experimental last time I looked to it). The main problem is that the mod_cas for Apache doesn't have the ability to destroy the SSO cookie, which would be a 100% sure way to log you out. What SSO have you implemented? Guillaume 2014-07-01 20:13 GMT+02:00 Brockmeier, Chris S <chris.s.brockmeier(a)lmco.com> : _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users