CA SiteMinder® Federation Standalone Guide › Getting Started with a Simple Partnership › Add Single Logout

Add Single Logout

The single logout protocol (SLO) results in the simultaneous end of all user sessions for the browser that initiated the logout. Configuring single logout helps ensure that no sessions are left open for unauthorized users to gain access to resources at the Service Provider.

Configure Single Logout at the IdP

Configure single logout at Idp1.

Follow these steps:

1. Log in to the Administrative UI.
2. Click Federation, Partnerships.

   The View Federation Partnerships window displays.

3. Select Action, Deactivate next to the entry for TestPartnership.

   Deactivation is required before editing.

4. Click Action, Modify next to the entry for TestPartnership.

   The dialog for the first step of the partnership opens.

5. Click the SSO and SLO step.
6. In the SLO section, select the HTTP-redirect for the SLO Bindings to enable single logout.
7. Click Add Row in the SLO Service URLs table and complete the following:

   SLO Location URL

   http://sp1.demo.com:9091/affwebservices/public/saml2slo

   This link indicates that the single logout request is sent to the remote SP.

   SLO Confirm URL

   http://idp1.example.com:9090/idpsample/SLOConfirm.html

   This link is the confirmation page at the site that initiated single logout, in this case, IdP1. The user is redirected to this page when single logout completes successfully.

8. Select the row you configured by clicking the option button in the Select column.
9. Click the Confirm step in the wizard and review the configuration.
10. Click Finish.

    You return to the View Federation Partnerships window.

11. Reactivate the partnership by selecting Action, Activate next to the TestPartnership entry in the Federation Partnership List.

Single logout is now added to the configuration at IdP1.

Configure Single Logout at the SP

Configure single logout at SP1.

Follow these steps:

1. Log in to the Administrative UI.
2. Click Federation, Partnerships.
3. Select Action, Deactivate next to the entry for Demo Partnership.

   You must deactivate a partnership prior to editing it.

4. Click Action, Modify next to the entry for DemoPartnership.

   The dialog for the first step of the partnership wizard opens.

5. Click the SSO and SLO step.
6. In the SLO group box, select the HTTP-redirect for the SLO Bindings to enable single logout.
7. Click Add Row in the SLO Service URLs table, if there is no row available complete the following:

   SLO Location URL

   http://idp1.example.com:9090/affwebservices/public/saml2slo

   This is the link where the single logout request will be sent.

   SLO Confirm URL

   http://sp1.demo.com:9091/spsample/SLOConfirm.html

   This is the single logout confirmation page at the site that initiated the logout.

8. Select the row you just configured by clicking the radio button in the Select column.
9. Click the Confirm step in the wizard and review the configuration.
10. Click Finish.

    You return to the View Federation Partnerships window.

11. Reactivate the partnership by selecting Action, Activate next to the DemoPartnership entry in the Federation Partnership List.

Single logout is now configured at the SP.

Test Single Logout

After you configure single logout, test it. For this test, single logout is initiated at SP1.

Initiating single logout from the SP requires that you have two web pages to initiate and confirm single logout.

• Using welcome.html, add a link to this page that directs the browser to the Single Logout Service at IdP1. This link has the following syntax:

  <a href="http://idp1.example.com:9090/affwebservices/public/
  saml2slo>Log Me Out</a>

• Create a confirmation page named SLOConfirm.html with a logout confirmation message, such as:

  <p>You have successfully logged out</p>

Copy both these pages to your web server root directory under the subfolder /spsample.

Note: Complete an SSO transaction so you can test SLO.

Follow these steps:

1. Verify that both sides of the partnership are activated in the Administrative UI.
2. Configure and test single sign-on according to the previously documented instructions.

   If single sign-on is successful, the welcome page is displayed in the browser.

3. Keep the browser open and click the link Log Me Out on the welcome page.

   If successful, you are redirected to the confirmation page that displays the message:

   You have successfully logged out.