Federation Guides › Partnership Federation Guide › Getting Started with a Simple Partnership › Add Single Logout

Add Single Logout

The single logout protocol (SLO) results in the simultaneous end of all user sessions for the browser that initiated the logout. Configuring single logout helps ensure that no sessions are left open for unauthorized users to gain access to resources at the Service Provider.

Important! To see the SLO settings, enable the session store using the Policy Server Management Console. For instructions about using the Management Console, see the Policy Server Administration Guide for instructions.

Configure Single Logout at the IdP

Configure single logout at Idp1.

Follow these steps:

1. Select Federation, Partnership Federation, Partnerships.

   The Partnerships windows displays.

2. Select Action, Deactivate next to the TestPartnership entry.

   Deactivate a partnership before editing it.

3. Click Action, Modify next to the TestPartnership entry.

   The partnership wizard opens.

4. Select the SSO and SLO step.
5. In the SLO section, configure the following fields:

   SLO Binding

   HTTP-Redirect

   SLO Confirm URL

   http://idp1.example.com:9090/idpsample/SLOConfirm.html

   This link is the confirmation page at the site that initiated single logout, in this case, IdP1. If single logout completes successfully, the user is redirected to this page.

6. Click Add Row in the SLO Service URLs table and complete the following field:

   SLO Location URL

   http://sp1.demo.com:9091/affwebservices/public/saml2slo

   This link indicates that the single logout request is sent to the remote SP.

7. Select the row that you configured in the Select column.
8. Click the Confirm step in the wizard and review the configuration.
9. Click Finish.

   You return to the Partnerships window.

10. Reactivate the partnership by selecting Action, Activate next to the TestPartnership.

Single logout is now added to the configuration at IdP1.

Configure Single Logout at the SP

Configure single logout at SP1.

To configure single logout at the SP

1. Select Federation, Partnership Federation, Partnerships.

   The Partnerships window displays.

2. Select Action, Deactivate next to the entry for Demo Partnership.

   Deactivate a partnership before editing it.

3. Click Action, Modify next to the entry for DemoPartnership.

   The dialog for the first step of the Partnership wizard opens.

4. Click the SSO and SLO step.
5. In the SLO section, configure the following fields:

   SLO Binding

   HTTP-Redirect

   SLO Confirm URL

   http://sp1.demo.com:9091/spsample/SLOConfirm.html

   This URL is the single logout confirmation page at the site that initiated the logout.

6. Click Add Row in the SLO Service URLs table and complete the following field:

   SLO Location URL

   http://idp1.example.com:9090/affwebservices/public/saml2slo

   This URL is where the single logout request is sent.

7. Select the row that you configured in the Select column.
8. Click the Confirm step in the wizard and review the configuration.
9. Click Finish.

   You return to the Partnerships window.

10. Reactivate the partnership by selecting Action, Activate next to the DemoPartnership entry in the Federation Partnership List.

Single logout is now configured at the SP.

Test Single Logout

After you configure single logout, test it. For this test, single logout is initiated at SP1.

Initiating single logout from the SP requires that you have two web pages to initiate and confirm single logout.

• Using welcome.html, add a link to this page that directs the browser to the Single Logout Service at IdP1. This link has the following syntax:

  <a href="http://idp1.example.com:9090/affwebservices/public/
  saml2slo>Log Me Out</a>

• Create a confirmation page named SLOConfirm.html with a logout confirmation message, such as:

  <p>You have successfully logged out</p>

Copy both these pages to your web server root directory under the subfolder /spsample.

Note: Complete an SSO transaction so you can test SLO.

Follow these steps:

1. Verify that both sides of the partnership are activated in the Administrative UI.
2. Configure and test single sign-on according to the previously documented instructions.

   If single sign-on is successful, the welcome page is displayed in the browser.

3. Keep the browser open and click the link Log Me Out on the welcome page.

   If successful, you are redirected to the confirmation page that displays the message:

   You have successfully logged out.