Federation Security Services Guide › Identify Service Providers for a SAML 2.0 Identity Provider › Configure Single Logout (optional)

Configure Single Logout (optional)

The single logout protocol (SLO) results in the simultaneous end of all sessions for a particular user, thereby ensuring security. These session must be associated with the browser that initiated the logout. Single logout does not necessarily end all sessions for a user. For example, if the user has two browsers open, that user can establish two independent sessions. Only the session for the browser that initiates the single logout is terminated at all federated sites for that session. The session in the other browser will still be active. Single logout is triggered by a user-initiated logout.

Note: SiteMinder only supports the HTTP-Redirect binding for the single logout protocol.

By configuring the settings on the SLO tab you are informing the Identity Provider whether the Service Provider supports the single logout protocol, and if so, how single logout is handled.

If you enable single logout, you must also:

• Enable the session server at the Identity Provider using the Policy Server Management Console.
• Configure persistent sessions for the realm containing the protected resources at the Service Provider. Persistent session are configured via the FSS Administrative UI.

To configure single logout

1. Log in to the FSS Administrative UI and access the SAML Service Provider Properties dialog box for the Service Provider you want to configure.
2. From the SAML Service Provider Properties dialog box, select the SLO tab.
3. Select the HTTP-Redirect checkbox to enable single logout.

   The remaining fields become active.

4. Enter values for the remaining fields, noting the following:
   • Validity Duration

     Specifies the number of seconds that a single logout request is valid. This property is different from the Validity Duration on the SSO tab, which is for assertions. If the validity duration expires, a single logout response is generated and is sent to the entity who initiated the logout. The validity duration also depends on the skew time (set in the General tab) to calculate single logout message duration.

   • SLO Location URL, SLO Response Location URL, and SLO Confirm URL

     Entries for these fields must start with https:// or http://.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

Federation Web Services redirects the user to the logout confirm page after the user's session is completely removed at the Identity Provider and all Service Provider sites.