The single logout (SLO) profile allows near-simultaneous logout of all sessions that a specific session authority provides and which are associated with a particular user. The user initiates the logout directly. A session authority is the authenticating entity that has initially authenticated the user. In most cases, the session authority is the Identity Provider.
Single logout helps ensure that no sessions are left open for unauthorized users to gain access to resources at the Service Provider.
The user can initiate single logout service from a browser by clicking a link at the Service Provider or at the Identity Provider. The user clicks the logout link which points to an SLO servlet. This servlet, which is a component of Federation Web Services, processes logout requests and responses coming from a Service Provider or Identity Provider. The servlet does not need to know the originator of the request or response. The servlet uses the CA SiteMinder® session cookie to determine the session to log out.
The single logout feature transports messages using the HTTP-Redirect binding. This binding determines how SAML protocol messages are transported using HTTP redirect messages, which are 302 status code responses.
If you enable single logout at the Service Provider, configure persistent sessions for the realm containing the protected resources at the Service Provider. Configure persistent sessions in the Administrative UI.
To configure single logout
Specifies the number of seconds that a single logout request is valid. If the validity duration expires, a single logout response is generated. The response is sent to the entity who initiated the logout. The validity duration also depends on the skew time to calculate single logout message duration.
Entries for these fields must start with https:// or http://.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
After single logout is initiated, the user session is removed at the Identity Provider and all Service Provider sites. Federation Web Services then redirects the user to the logout confirm page.
Copyright © 2013 CA.
All rights reserved.
|
|