Federation Manager Guide › Federation Partnerships › Single Logout (SAML 2.0) › Back Channel Configuration for Single Logout

Back Channel Configuration for Single Logout

Single logout enabled with the SOAP binding sends logout requests and responses across a back channel. You can require an entity to authenticate to access the back channel. The back channel can also be secured using SSL, though SSL is not required.

Securing the back channel using SSL involves:

• Enabling SSL.

  SSL is not required for Basic authentication but you can use Basic over SSL. SSL is required for Client Cert authentication.

• Configure an incoming and outgoing back channel for the single logout communication exchange. The local entity has to be able to send messages over the outgoing channel and receive messages over the incoming channel.

  Note: Although you can configure an incoming and outgoing back channel, a given channel can have only one configuration. If two services use the same channel, these two services must use the same back channel configuration. For example, if the incoming channel for a local asserting party is used for HTTP-Artifact SSO and SLO over SOAP, these two services must use the same back channel configuration.

• Choosing the type of authentication required for the remote entity to gain access across the protected back channel. The authentication method applies per channel (incoming or outgoing).

  The options for back channel authentication are:

  • Basic

    Indicates that a Basic authentication scheme is protecting the back channel.

    Note: If SSL is enabled for the back channel connection, Basic authentication can still be selected.

  • Client Cert

    Indicates that SSL with an X.509 client certificate protects the asserting party back channel.

    If you select Client Cert as the authentication method, all endpoint URLs have to use SSL communication. This means that the URLs must begin with https://. Endpoint URLs locate the various SAML services on a server, such as single sign-on, single logout, the Assertion Consumer Service, Artifact Resolution Service (SAML 2.0), and the Assertion Retrieval Service (SAML 1.x).

  • NoAuth

    Indicates that the relying party is not required to supply credentials. The back channel is not secured. You can still enable SSL with this option. The back channel traffic is encrypted but no credentials are exchanged between parties.

    Use the NoAuth option for testing purposes but not for production, unless Federation Manager is configured for SSL-enabled failover and sits behind a proxy server. In this case, if client certificate authentication is used to protect the back channel, the proxy server handles the authentication because it has the server certificate. In that case, all IdP->SP partnerships can use NoAuth as the authentication type.

  Important! The authentication method chosen for the incoming back channel must match the authentication method for the outgoing back channel on the other side of the partnership. Agreeing on the choice of authentication method is handled out of band.

To secure the back channel for single logout

1. Begin at the Back Channel group box in the SSO and SLO step of the Partnership wizard.
2. Select SOAP in the SLO group box. The Authentication Method field becomes active.
3. Select the type of authentication method for the incoming and outgoing back channel. Additional fields to configure are displayed for Basic and Client Cert methods.

   Note: You can click Help for a description of fields, controls, and their respective requirements.

   If you select No Auth as the authentication method, no additional steps are required.

4. Depending on the authentication method you select, several additional fields are displayed for you to configure.

   Note: You can click Help for a description of fields, controls, and their respective requirements.

After entering values for all the necessary fields, the back channel configuration is complete.