|
|
|
The values of the SLO validity duration (Validity Duration field on the SLO tab) and Skew Time instruct the Policy Server how to calculate the total time that the single logout request is valid.
Note: The SLO Validity Duration is a different value from the SSO Validity Duration.
The two values that are relevant in calculating the logout request duration are referred to as the IssueInstant value and the NotOnOrAfter value. In the SLO response, the single logout request is valid until the NotOnOrAfter value.
When a single logout request is generated, the Policy Server takes its system time. The resulting time becomes the IssueInstant value, which is set in the request message.
To determine when the logout request is no longer valid, the Policy Server takes its current system time and adds the Skew Time plus the SLO Validity Duration together. The resulting time becomes the NotOnOrAfter value. Times are relative to GMT.
For example, a log out request is generated at the Identity Provider at 1:00 GMT. The Skew Time is 30 seconds and the SLO Validity Duration is 60 seconds. Therefore, the request is valid between 1:00 GMT and 1:01:30 GMT. The IssueInstant value is 1:00 GMT and the single logout request message is no longer valid 90 seconds afterward.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |