Previous Topic: Configure Single Sign-on at the SPNext Topic: Digital Signing Options at the Service Provider

Federation GuidesLegacy Federation GuideConfigure CA SiteMinder® as a SAML 2.0 Service ProviderEnable Single Logout

Enable Single Logout

The single logout (SLO) profile allows near-simultaneous logout of all sessions that a specific session authority provides and which are associated with a particular user. The user initiates the logout directly. A session authority is the authenticating entity that has initially authenticated the user. In most cases, the session authority is the Identity Provider.

Single logout helps ensure that no sessions are left open for unauthorized users to gain access to resources at the Service Provider.

The user can initiate single logout service from a browser by clicking a link at the Service Provider or at the Identity Provider. The user clicks the logout link which points to an SLO servlet. This servlet, which is a component of Federation Web Services, processes logout requests and responses coming from a Service Provider or Identity Provider. The servlet does not need to know the originator of the request or response. The servlet uses the CA SiteMinder® session cookie to determine the session to log out.

Bindings for Single Logout

The single logout feature transports messages using the HTTP-Redirect binding. This binding determines how SAML protocol messages are transported using HTTP redirect messages, which are 302 status code responses.

Configure Single Logout

If you enable single logout at the Service Provider, configure persistent sessions for the realm containing the protected resources at the Service Provider. Configure persistent sessions in the Administrative UI.

To configure single logout

  1. Navigate to the SAML 2.0 authentication scheme.
  2. Click SAML 2.0 Configuration, SLO.
  3. In the SLO section of the page, select the HTTP-Redirect check box. The other single logout settings become active.
  4. Enter values for the remaining fields, noting the following information:
    Validity Duration

    Specifies the number of seconds that a single logout request is valid. If the validity duration expires, a single logout response is generated. The response is sent to the entity who initiated the logout. The validity duration also depends on the skew time to calculate single logout message duration.

    SLO Location URL, SLO Response Location URL, and SLO Confirm URL

    Entries for these fields must start with https:// or http://.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

After single logout is initiated, the user session is removed at the Identity Provider and all Service Provider sites. Federation Web Services then redirects the user to the logout confirm page.

More Information:

Storing User Session, Assertion, and Expiry Data