Federation Security Services Guide › Federation Security Services Overview › Federation Security Services Process Flow › Flow Diagram for SAML 2.0 Single Logout

Flow Diagram for SAML 2.0 Single Logout

The illustration that follows shows the detailed flow for a single logout request between a user's browser and the Federation Security Service components deployed at an Identity Provider (IdP) and Service Provider (SP) sites. This set-up enables single logout for all entities that have a session with a particular user.

The following diagram assumes that the SP initiates the log out request.

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack, which provide the FWS application functions. For information about installing and configuring the SPS federation gateway, see the CA SiteMinder Secure Proxy Server Administration Guide.

The sequence of events is as follows:

1. The user clicks a link at SP to end his global session. The user's browser accesses the Single Logout servlet at the SP.

   SP FWS renames the SMSESSION cookie to SESSIONSIGNOUT to invalidate the user's current session.

2. FWS reads the SessionId value from the SESSIONSIGNOUT cookie and asks the Policy Server to terminate the user session.
3. Based on the session store information, the user session status is changed to a LogoutInProgress state in the session store. The Policy Server determines that the user session was created based on the SAML assertion received from an IdP. It generates a LogoutRequest request to invalidate the user's session at the IdP.
4. The Policy Server returns a LogoutRequest request to SP FWS. It also returns the IdP's Provider ID and provider type.
5. SP FWS retrieves the IdP's provider configuration data, which includes the SLO service URL, from the Policy Server.
6. SP FWS redirects the user to the SLO service at the IdP with the SAML LogoutRequest message added as query parameter.
7. User's browser accesses SLO service at the IdP.

   When the IdP FWS receives a LogoutRequest message, it renames the SMSESSION cookie to SESSIONSIGNOUT.

8. The IdP processes the signed LogoutRequest message then tries to invalidate the user's session at all SPs specified in the session store for that user session, with the exception of the SP that sent the original LogoutRequest.

   Note: The process for logging the user out at each SP is similar to Step 2 through Step 7.

9. After terminating the user's session from all relevant SPs, the IdP removes the user session from the session store.
10. The IdP Policy Server returns a signed LogoutResponse message to the IdP FWS, containing the SP's provider ID and provider type. It also informs FWS that user session is removed from session store.
11. After learning that the user session is removed from the session store, IdP FWS deletes the SESSIONSIGNOUT cookie.
12. The IdP FWS redirects the user to the single logout service at the SP with the SAML LogoutResponse message added as query parameter. The single logout service is part of the SP FWS application.

    The user's browser accesses SP's SLO service, which processes the signed LogoutResponse message.

    If the LogoutResponse message contains non-SUCCESS return code, FWS issues a SIGNOUTFAILURE cookie, and a base 64-encoded Partner ID is appended to the cookie value. If there are multiple IDs in the cookie, they are separated by a space character.

13. The SP Policy Server receives the LogoutResponse message from FWS and processes it.
14. The SP Policy Server removes the user session from the session store.
15. After the session is removed from the session store, the Policy Server sends a SUCCESS return code to FWS along with the SP provider ID in the final LogoutResponse message.
16. If there are no more LogoutRequest or LogoutResponse messages to process, SP FWS deletes the SESSIONSIGNOUT cookie.
17. FWS redirects the user to the Logout Confirmation page at the SP.