|
|
|
For single logout, the values of the SLO validity duration and Skew Time instruct Federation Manager on how to calculate the total time that the single logout request is valid.
Two values are relevant when calculating how long the logout request is valid. These values are the IssueInstant value and the NotOnOrAfter value. In the SLO response, the single logout request is valid until the NotOnOrAfter value. When a single logout request is generated, Federation Manager takes its system time. The resulting time becomes the IssueInstant set in the request message. To determine when the logout request is no longer valid, Federation Manager takes its current system time and adds the Skew Time plus the SLO Validity Duration together. The resulting time becomes the NotOnOrAfter value.
Note: Times are relative to GMT.
For example, a log out request is generated at the asserting party at 1:00 GMT. The Skew Time is 30 seconds and the SLO Validity Duration is 60 seconds. Therefore, the request is valid between 1:00 GMT and 1:01:30 GMT. The IssueInstant value is 1:00 GMT and the single logout request message is no longer valid 90 seconds afterward.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |