The single logout protocol (SLO) results in the simultaneous end of all sessions for a particular user, helping ensure security. These sessions must be part of the browser session that initiated the logout.
Single logout does not necessarily end all sessions for a user. For example, if the user has two browsers open, that user can establish two independent sessions. Only the session for the browser that initiates the single logout is terminated at all federated sites for that session. The session in the other browser is still active. A user-initiated logout triggers single logout.
Note: CA SiteMinder® only supports the HTTP-Redirect binding for the single logout protocol.
Configuring SLO tells the Identity Provider whether the Service Provider supports the single logout protocol, and if so, how the Service Provider handles single logout.
If you enable single logout, you must also:
For information about the session store, see the Policy Server Administration Guide.
For information about realms, see the Policy Server Configuration Guide.
To configure single logout
Specifies the number of seconds that a single logout request is valid. This property is different from the Validity Duration for single sign-on, which is for assertions. If the validity duration expires, the IdP sends a single logout response to the entity that initiated the logout. The validity duration also depends on the skew time (set in the General tab) to calculate single logout message duration.
Entries for these fields must start with https:// or http://.
Federation Web Services redirects the user to the logout confirm page after the user session is removed at the Identity Provider and all Service Provider sites.
The SLO validity duration and Skew Time instruct the Policy Server how to calculate the total time that the single logout request is valid.
Note: The SLO Validity Duration is a different value from the SSO Validity Duration.
The two values that are relevant in calculating the logout request duration are referred to as the IssueInstant value and the NotOnOrAfter value. In the SLO response, the single logout request is valid until the NotOnOrAfter value.
When a single logout request is generated, the Policy Server takes its system time. The resulting time becomes the IssueInstant value, which is set in the request message.
The Policy Server determines when the logout request is no longer invalid. The Policy Server takes its current system time and adds the Skew Time plus the SLO Validity Duration. The resulting time becomes the NotOnOrAfter value. Times are relative to GMT.
For example, a log out request is generated at the Identity Provider at 1:00 GMT. The Skew Time is 30 seconds and the SLO Validity Duration is 60 seconds. Therefore, the request is valid between 1:00 GMT and 1:01:30 GMT. The IssueInstant value is 1:00 GMT and the single logout request message is no longer valid 90 seconds afterward.
To support single logout, have a logout confirmation page at your site. This page lets the user know they are logged out.
The logout confirmation page must satisfy the following criteria:
To receive feedback about a logout failure, the logout confirmation page must also support the following requirements:
By configuring the logout confirmation page to look for this cookie, the page can inform the user where the logout failed. This information is useful in networks where a user is logging out from multiple partner sites.
Additionally, if the SIGNOUTFAILURE cookie is found, the logout confirmation page must inform users to close the web browser to remove all session data.
Copyright © 2014 CA.
All rights reserved.
|
|