Previous Topic: Configure WS-Federation Single Sign-on at the Resource PartnerNext Topic: Create a Custom WS-Federation Authentication Scheme


Implement WS-Federation Signout

Sign-out is the simultaneous termination of all user sessions for the browser that initiated the sign-out. Closing all user sessions prevents unauthorized users from gaining access to resources at the Resource Partner.

Sign-out does not necessarily end all sessions for a user. For example, a user with two browsers open can have two independent sessions. Only the session for the browser that initiates the sign-out is terminated at all federated sites for that session. The session in the other browser is still active.

The Policy Server performs sign-out using a signoutconfirmurl.jsp. This page resides on the Identity Provider system. An Identity Provider initiates a sign-out request on behalf of a user. The JSP sends the sign-out request to each site where the user signed on during a given browser session. The user is then signed out.

A user can initiate a sign-out request only at an Identity Provider. The request is triggered by clicking a link that points to the appropriate servlet. The sign-out confirmation page must be an unprotected resource at the Identity Provider site.

Note: The Policy Server only supports the WS-Federation Passive Request profile for sign-out.

Enable Signout

To configure WS-Federation signout

  1. Navigate to the authentication scheme you want to modify.
  2. Select WS-Federation Configuration, SAML Profiles. Click Modify first if you are modifying an existing scheme.

    The SAML Profiles dialog opens.

  3. In the Signout section, select the Enable Signout check box.
  4. Enter a value for the Signout URL. The URL must begin with https:// or http://.
  5. Click OK.

More Information:

Storing User Session, Assertion, and Expiry Data