Currently, Shibboleth doesn't support single logout (SLO), so the only way for a user to completely logout of all SP applications and the IDP server is to close their browser. SP based applications can call their own logout method to end the SP session, but this would still leave the IDP session active. The IDM team has provided a URL that will end the IDP session.
If you are using the Shibboleth SP software, you can use a link to a URL of this form to perform a "local" logout of the user at your SP (which ends their SP session), then redirect the user to the IdP logout endpoint:
You should remove the word "SAML2" from the contents of the Logout element in your shibboleth2.xml file, leaving only "Local". This will prevent your server from trying to attempt a SAML SLO operation, which is not implemented by our IdP.
Before Feb 15, 2012 the IDP logout URL will perform the following events:
Destroy the IdP session and cookie (_idp_session)
Redirect the browser to the CAH logout URL www.umn.edu/logout, destroying the authV2 cookie
If a return parameter is supplied to the IdP logout URL, redirect the browser to this URL, otherwise display the default logout page. Note the URL must be https
Starting Feb 15, 2012 the IDP logout will no longer redirect the brower to the CAH logout page.