Previous Topic: Logging Out of User SessionsNext Topic: Authentication Context Processing (SAML 2.0)


Single Logout Overview (SAML 2.0)

Single logout (SLO) results in the simultaneous termination of all user sessions for the browser that initiated the logout. Closing all user sessions prevents unauthorized users from gaining access to resources at the SPs.

Single logout does not necessarily end all sessions for a user. For example, a user with two browsers open can have two independent sessions. Only the session for the browser that initiates the logout is terminated at all federated sites for that session. The session in the other browser is still active.

The single logout binding determines what is sent with a single logout message and how each received message is handled.

Important! To configure single logout, enable the session store using the Policy Server Management Console. For instructions about using the Management Console, see the Policy Server Administration Guide for instructions.

Two bindings are available for single logout operation:

HTTP-Redirect

HTTP-Redirect binding relies on a browser to conduct each logout transaction. The single logout message is always a GET request. The browser is involved in every request and response. The involvement of the browser means that HTTP-redirect binding provides browser session data, which the SOAP binding does not.

A disadvantage of HTTP-Redirect binding is that the data in the message is limited to what you can send on the query string. Also, HTTP-Redirect binding is an asynchronous process so timeouts are unlikely. However, if a redirect fails, that failure stops the entire single logout chain.

SOAP

SOAP binding uses POST requests to conduct single logout transactions. POST requests let you send more data than the HTTP-Redirect binding. SOAP also enables you to do more in the way of encryption and other features.

SOAP is a synchronous process. The IdP has more control and can prevent a problem at a single SP from interfering with the whole process. SOAP communication takes place over a back channel. One logout failure does not have to stop the IdP from attempting to log out from the rest of the SPs.

SOAP relies on a back channel connection, so after the initial single logout call and response a browser is not involved. The SOAP binding does not clean up cookies at the remote entity as part of the logout process. Cookies are cleaned up only at the local entity. If deleting cookies is required, use HTTP-Redirect binding.

Managing Single Logout Across a Network Using HTTP-Redirect and SOAP

Your network can have some sites that support the HTTP-Redirect binding and others that support the SOAP binding. The IdP has to manage multiple bindings, but the SP sends or receives only one logout request.

The following sections provide configuration guidelines to handle a mixed-binding environment.

SLO Configuration when CA SiteMinder® is at the IdP

When CA SiteMinder® is at the IdP, configure the partnership to include an HTTP Redirect-based SLO Service URL and a SOAP-based SLO Service URL.

CA SiteMinder® at the IdP inspects the configuration for each SP in a session and handles all SOAP-enabled logouts first. HTTP-Redirect logouts for SPs that do not support SOAP follow.

SLO Configuration when CA SiteMinder® is at the SP

If CA SiteMinder® is at the SP and the SP initiates single logout, we recommend the HTTP-Redirect binding to initiate the logout. Other SPs for the user session possibly do no support SOAP.

HTTP-Redirect relies on a browser session to handle all redirections. For this reason, it sends the necessary data that the IdP must have to logout SPs that only support HTTP-Redirect. If the SP starts the process with HTTP-Redirect, the IdP can use SOAP with all SPs that support it. Switch to HTTP-Redirect binding for the remaining SPs.

If you initiate single logout with the SOAP binding, the browser session data is not present.

To help ensure an SP-initiated logout uses HTTP-Redirect, embed an HTTP-Redirect link that points to the SP' local servlet in a page or application. For CA SiteMinder®, that link is:

http://sp_host:port/affwebservices/public/saml2slo

This embedded link causes CA SiteMinder® to generate a SAML <LogoutRequest> message that it sends to the SLO service at the IdP. When a user logs out, the logout at the SP is performed first and then the logout request is sent to the IdP. The IdP then completes the logout process with all the other SPs involved in the user session.

Understanding Skew Time for SLO Request Validity

Two values are relevant when calculating how long the logout request is valid. These values are the IssueInstant value and the NotOnOrAfter value. In the SLO response, the single logout request is valid until the NotOnOrAfter value. When a single logout request is generated, CA SiteMinder® takes its system time. The resulting time becomes the IssueInstant set in the request message. To determine when the logout request expires, CA SiteMinder® takes its current system time and adds the Skew Time plus the SLO Validity Duration. The resulting time becomes the NotOnOrAfter value.

Note: Times are relative to GMT.

For example, a log out request is generated at the asserting party at 1:00 GMT. The Skew Time is 30 seconds and the SLO Validity Duration is 60 seconds. Therefore, the request is valid between 1:00 GMT and 1:01:30 GMT. The IssueInstant value is 1:00 GMT and the single logout request message is no longer valid 90 seconds afterward.

Configure Single Logout

Configuring single logout requires that you enable the session store using the Policy Server Management Console. For instructions about using the Management Console, see the Policy Server Administration Guide for instructions. If the session store is not enabled, you cannot see the single logout settings in the Administrative UI.

When configuring single logout, note the following information:

Follow these steps:

Note: The SLO configuration settings are the same at the IdP and SP.

  1. Begin at the SSO and SLO step of the partnership wizard.
  2. In the SLO section, select one or both SLO bindings.

    The SLO binding enables single logout and indicates the binding in use at the local entity. The SLO binding also indicates which binding the local entity accepts when it receives a single logout request.

    If you select SOAP, you can encrypt the Name ID in the SOAP message. Encryption options are set in the Signature and Encryption step of the partnership wizard.

    If you select SOAP as the binding, the Incoming and Outgoing Configuration for the Back Channel becomes active. SLO requests and responses are sent across a back channel. Each local partner can secure the back channel by requiring the remote partner to authenticate.

    More information can be found about the back channel settings for SLO.

  3. Configure any of the additional SLO settings:

    Click Help for the field descriptions.

  4. Complete the table for the SLO Service URLs. You must have at least one entry. Values that are defined for the selected remote entity are already entered in the table.

    The SLO Service URL initiates single logout, which then triggers the Policy Server to generate a SAML <LogoutRequest> message. In addition, the SLO Service URL tells the Policy Server where to send the logout request message.

    Specify a SLO service URL for each supported SLO binding, as follows:

    Note: The Response Location URL field is optional.

Single logout configuration is complete.

Back Channel Configuration for Single Logout

Single logout using the SOAP binding sends logout requests and responses across a back channel. You can require an entity to authenticate to access the back channel. The back channel can also be secured using SSL, though SSL is not required.

Securing the back channel using SSL involves:

To secure the back channel for single logout

  1. Begin at the Back Channel section in the SSO and SLO step of the partnership wizard.
  2. Select SOAP in the SLO section. The Authentication Method field becomes active.
  3. Select the type of authentication method for the incoming and outgoing back channel. Additional fields to configure are displayed for Basic and Client Cert methods.

    If you select No Auth as the authentication method, no additional steps are required.

  4. Depending on the authentication method you select, several additional fields are displayed for you to configure.

After entering values for all the necessary fields, the back channel configuration is complete.

Sign-Out Overview (WS-Federation)

Sign-out is the simultaneous termination of all user sessions for the browser that initiated the sign-out. Closing all user sessions prevents unauthorized users from gaining access to resources at the Resource Partner.

Sign-out does not necessarily end all sessions for a user. For example, a user with two browsers open can have two independent sessions. Only the session for the browser that initiates the sign-out is terminated at all federated sites for that session. The session in the other browser is still active.

The Policy Server performs sign-out using a signoutconfirmurl.jsp. This page resides on the Identity Provider system. An Identity Provider partner initiates a sign-out request on behalf of a user. The JSP sends the sign-out request to each site where the user signed on during a given browser session. The user is then signed out.

A user can initiate a sign-out request only at an Identity Provider. The request is triggered by clicking a link that points to the appropriate servlet. The sign-out confirmation page must be an unprotected resource at the Identity Provider site.

Note: The Policy Server only supports the WS-Federation Passive Request profile for sign-out.

Enable WSFED Sign-Out

Requirements to configure sign-out:

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select the WS-Federation partnership that you want to modify.
  3. Navigate to the Single Sign-on and Sign-Out step of the partnership wizard.
  4. In the Sign-Out section, set the following fields:

    The URLs must each have an entry that starts with https:// or http://.

  5. Navigate to the Confirm step and click Finish to save your changes.

Sign-out is configured.

Local Logout at the SP (SAML 2.0)

CA SiteMinder® as an SP supports local logout for stand-alone applications. Local logout enables a user to be logged out at the local SP-side application. The session at the SP is removed, but no communication with the IdP or other SPs is involved. Sessions at the IdP and other SPs remain active.

If you include a logout link in an application at the SP, the SP sends a logout request to the local single logout service. The SP logs out the user upon receiving the request. The application at the SP is responsible for sending a confirmation message that the logout is successful.

CA SiteMinder® provides local logout using a query parameter named localLogout. To use this parameter, your application can have a page, such as the following example:

You have completed your registration with demoapp.
To end your session securely, select LOGOUT.

The following sample string represents the link for the LOGOUT button:

<http://sp1server.demo.com:8080/affwebservices/public/saml2slo?LocalLogout=true