Previous Topic: Configure Attributes for Assertions (optional)Next Topic: Configure Identity Provider Discovery at the IdP


Configure Single Logout (optional)

The single logout protocol (SLO) results in the simultaneous end of all sessions for a particular user, helping ensure security. These sessions must be part of the browser session that initiated the logout.

Single logout does not necessarily end all sessions for a user. For example, if the user has two browsers open, that user can establish two independent sessions. Only the session for the browser that initiates the single logout is terminated at all federated sites for that session. The session in the other browser is still active. A user-initiated logout triggers single logout.

Note: CA SiteMinder® only supports the HTTP-Redirect binding for the single logout protocol.

Configuring SLO tells the Identity Provider whether the Service Provider supports the single logout protocol, and if so, how the Service Provider handles single logout.

If you enable single logout, you must also:

To configure single logout

  1. Log on to the Administrative UI.
  2. Navigate to the SAML Profiles page for the SAML Service Provider you want to configure.
  3. In the SLO section of the page, select the HTTP-Redirect check box. This setting enables single logout.
  4. Enter values for the remaining fields, noting the following fields:
    Validity Duration

    Specifies the number of seconds that a single logout request is valid. This property is different from the Validity Duration for single sign-on, which is for assertions. If the validity duration expires, the IdP sends a single logout response to the entity that initiated the logout. The validity duration also depends on the skew time (set in the General tab) to calculate single logout message duration.

    SLO Location URL, SLO Response Location URL, and SLO Confirm URL

    Entries for these fields must start with https:// or http://.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  5. (Optional) Select the Reuse Session Index field to use the same session index for assertions that are sent to the same partner during one browser session. This option helps ensure that single logout is successful with all third-party partners.

Federation Web Services redirects the user to the logout confirm page after the user session is removed at the Identity Provider and all Service Provider sites.

More Information:

Single Logout Request Validity

Guidelines for the Single Logout Confirmation Page

Single Logout Request Validity

The SLO validity duration and Skew Time instruct the Policy Server how to calculate the total time that the single logout request is valid.

Note: The SLO Validity Duration is a different value from the SSO Validity Duration.

The two values that are relevant in calculating the logout request duration are referred to as the IssueInstant value and the NotOnOrAfter value. In the SLO response, the single logout request is valid until the NotOnOrAfter value.

When a single logout request is generated, the Policy Server takes its system time. The resulting time becomes the IssueInstant value, which is set in the request message.

The Policy Server determines when the logout request is no longer invalid. The Policy Server takes its current system time and adds the Skew Time plus the SLO Validity Duration. The resulting time becomes the NotOnOrAfter value. Times are relative to GMT.

For example, a log out request is generated at the Identity Provider at 1:00 GMT. The Skew Time is 30 seconds and the SLO Validity Duration is 60 seconds. Therefore, the request is valid between 1:00 GMT and 1:01:30 GMT. The IssueInstant value is 1:00 GMT and the single logout request message is no longer valid 90 seconds afterward.

Guidelines for the Single Logout Confirmation Page

To support single logout, have a logout confirmation page at your site. This page lets the user know they are logged out.

The logout confirmation page must satisfy the following criteria:

To receive feedback about a logout failure, the logout confirmation page must also support the following requirements: