Federation Manager Guide › Federation Partnerships › Single Logout (SAML 2.0) › Configure Single Logout

Configure Single Logout

Be aware of the following information when configuring single logout:

• If a partner receives a SAML <LogoutRequest> message using HTTP-Redirect, the response back to the sending party must use HTTP-Redirect.
• If a partner receives SAML <LogoutRequest> message using SOAP, the response back to the sending party must be over SOAP.
• If a partner receives an SLO request over a binding it does not support, single logout fails.
• If a single logout user session includes partners that use HTTP-Redirect and SOAP, configure Federation Manager to support both bindings. When the IdP proceeds with the logout, it logs out all SPs using SOAP then logs out all SPs using HTTP-Redirect binding.
• If a Federation Manager SP initiates single logout, we recommend starting with HTTP-Redirect binding, even if the SP supports SOAP.

  Review configuration guidelines for managing single logout in an environment that supports SOAP and HTTP-Redirect.

To configure single logout at either side of a partnership

Note: The SLO configuration settings are the same at the IdP and SP.

1. Begin at the SSO and SLO step of the Partnership wizard.
2. In the SLO group box, select one or both SLO bindings.

   The SLO binding enables single logout and indicates the binding in use at the local entity. The SLO binding also indicates which binding the local entity accepts when it receives a single logout request.

   If you select SOAP, you can encrypt the Name ID in the SOAP message. The setting for this option is in the Signature and Encryption step of the Partnership wizard.

   If you select SOAP as the binding, the Incoming and Outgoing Configuration for the Back Channel becomes active. SLO requests and responses are sent across a back channel and each local partner can secure the back channel by requiring the remote partner to authenticate.

   More information can be found about the back channel settings for SLO.

3. Configure any of the additional SLO settings:
   • SLO Confirm URL
   • Validity Duration
   • Relay State overrides SLO Confirm URL

   Note: You can click Help for a description of fields, controls, and their respective requirements.

4. Complete the table for the SLO Service URLs. You must have at least one entry.

   The SLO Service URL serves two functions—it initiates single logout, which then triggers Federation Manager to generate a SAML <LogoutRequest> message, and it tells Federation Manager where to send the logout request message.

   Specify a SLO service URL for each supported SLO binding, as follows:

   • HTTP-Redirect enabled—select one URL with HTTP-Redirect as the binding.
   • SOAP enabled—select one URL with SOAP as the binding.
   • Redirect and SOAP enabled—select two URLs, one set to HTTP-Redirect and one set to SOAP.

   Note: The Response Location URL field is optional.

   Click Add Row to add more entries to the table. Values defined for the selected remote entity are already entered in the table.

Single logout is configured after these steps are complete.