--- loncom/html/adm/help/tex/Institutional_Integration_Shibboleth.tex	2015/03/13 03:33:57	1.2
+++ loncom/html/adm/help/tex/Institutional_Integration_Shibboleth.tex	2015/03/26 22:15:20	1.4
@@ -255,8 +255,8 @@ Add a file to your Apache conf directory
 is domain, to include items such as:
 
 \begin{verbatim}
-PerlSetVar lonSSOUserLogoutMessageFile 
-/home/httpd/html/adm/sso_logout_link_html_frag
+PerlSetVar lonSSOUserLogoutHeadFile_<dom>/home/httpd/html/adm/sso_logout_head
+PerlSetVar lonSSOUserLogoutMessageFile_<dom> /home/httpd/html/adm/sso_logout_body
 PerlSetVar lonSSOUserUnknownRedirect /adm/sso_failed_login.html
 PerlSetVar lonSSOUserDomain <dom>
 \end{verbatim}
@@ -266,9 +266,19 @@ and add the corresponding files owned by
 Notes:
 \begin{enumerate}
 \item
-Both files contain HTML mark-up, but the logout link is just a fragment which will
-be inserted into the standard LON-CAPA logout page, whereas the sso\_failed\_login.html file
-should be a complete HTML document.
+All files will contain HTML mark-up, but the sso\_logout\_head item is a fragment 
+inserted into the head block of the standard LON-CAPA logout page, and similarly,
+the sso\_logout\_body is a fragment inserted into the body of the page, 
+whereas the sso\_failed\_login.html file should be a complete HTML document.
+
+If the name of the PerlVar ends \_$<$dom$>$ then the HTML fragment is only displayed
+to SSO users from that particular domain.  It is possible that a LON-CAPA user from another
+domain might have used SSO authentication on a server in his/her home domain, and then switched
+session to your server, (e.g., for co-author access to an Authoring Space in your domain).
+In that particular case, if you wanted to display custom HTML, you should add a PerlVar with a 
+name ending in \_$<$otherdom$>$. If you include PerlVars for lonSSOUserLogoutHeadFile
+and/or lonSSOUserLogoutMessageFile they will be included for SSO users who use the Logout link
+on your LON-CAPA regardless of the user's domain.
 
 \item
 SAML 2 Single Logout (SLO) has limited support starting with IdP's running Shibboleth 2.4.
@@ -282,7 +292,7 @@ In pre-2.4 Shibboleth2 /etc/shibboleth2.
 e.g.,  https://yourserver/Shibboleth.sso/Logout.
 
 Depending on the availability of SLO support from your institution's IdP you should craft an appropriate 
-message to include in sso\_logout\_link\_html\_frag. If you include a link to the URL for a local logout,
+message to include in sso\_logout\_body. If you include a link to the URL for a local logout,
 you should indicate that access to other web applications using SSO may continue to be available, even
 after logout from the specific SP.  If no local logout is provided, then after logout from LON-CAPA,
 the web browser needs to be quit, to ensure access to LON-CAPA requires re-authentication.
@@ -303,7 +313,7 @@ instead it can come from a customized ge
 
 \end{enumerate}
 
-e.g., sso\_logout\_link\_html\_frag
+e.g., sso\_logout\_body
 
 \begin{verbatim}