Federation Manager Guide › Federation Partnerships › Single Logout (SAML 2.0) › Managing Single Logout Across a Network Using HTTP-Redirect and SOAP

Managing Single Logout Across a Network Using HTTP-Redirect and SOAP

Your network could have some sites that support the HTTP-Redirect binding and others that support the SOAP binding. The IdP has to manage multiple bindings, but the SP sends or receives only one logout request.

The following sections provide configuration guidelines to handle a mixed-binding environment.

• SLO Configuration if Federation Manager is at the IdP

  If Federation Manager is at the IdP, configure the partnership to include an HTTP Redirect-based SLO Service URL and a SOAP-based SLO Service URL.

  Federation Manager at the IdP inspects the configuration for each SP in a session and handles all SOAP-enabled logouts first, followed by HTTP-Redirect logouts for SPs that do not support SOAP.

• SLO Configuration if Federation Manager is at the SP

  If Federation Manager is at the SP and the SP initiates single logout, we recommend that Federation Manager use the HTTP-Redirect binding to initiate the logout, even if the initiating SP supports SOAP. Other SPs for the user session might not support SOAP.

  HTTP-Redirect relies on a browser session to handle all redirections. For this reason, it sends the necessary data that the IdP must have to logout SPs that only support HTTP-Redirect. If the initiating SP starts the process with HTTP-Redirect, the IdP can use SOAP with all SPs that support it, then switch to HTTP-Redirect binding for the remaining SPs.

  If you initiate single logout with the SOAP binding, the browser session data is not present, eliminating data that the IdP requires to complete the logout operation at other SPs that require HTTP-Redirect.

  To help ensure an SP-initiated logout uses HTTP-Redirect, embed an HTTP-Redirect link that points to the SP's local servlet in a page or application. For Federation Manager, that link is:

  http://sp_host:port/affwebservices/public/saml2slo.

  This embedded link causes Federation Manager to generate a SAML <LogoutRequest> message that it sends to the SLO service at the IdP. When a user logs out, the logout at the SP is performed first and then the logout request is sent to the IdP. The IdP then completes the logout process with all the other SPs involved in the user session.