We have used Shibboleth to authenticate users. It works great.
The issue is that after going to user/logout (and, I think, actually logging out), the user is immediately and automatically re-authenticated!
Any solutions come to mind?
Thanks!
This is a moderately complex issue, depending on what you want to achieve. The bad news is that according to people who should know, SingleLogOff basically doesn't work, because at the very least the local app might cache login information and there's no reliable way of telling everybody to log you out.
However, logging out of a Service Provider's specific session might be as easy as sending your user to
https://yourhost/Shibboleth.sso/Logout?return=http://www.google.com which will destroy that session and redirect the user to the given URL.
To destroy the session with the IdP, you'd probably need a way to erase the _idp_session cookie set by the IdP, which is easy if you control the IdP and not if you don't. (The shibd SP does support telling the IdP to log out the IdP session, too, but the IdP doesn't.)
EDIT AFTER SHIB 3 RELEASE
Shibboleth 3 now support SLO.