Federation Security Services GuideFederation Security Services OverviewFederation Security Services Process Flow › Flow Diagram for WS-Federation Signout (AP-initiated)

Previous Topic: Flow Diagram for SAML 2.0 Single Logout

Next Topic: Flow Diagram for WS-Federation Signout (RP-initiated)

Flow Diagram for WS-Federation Signout (AP-initiated)

The illustration that follows shows the detailed flow for a signout request between a user's browser and the Federation Security Service components deployed at an Account Partner (AP) and Resource Partner sites. This set-up enables signout for all entities that have a session with a particular user.

The following illustration assumes that the AP initiates the signout request.

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack, which provide the FWS application functions. For information about installing and configuring the SPS federation gateway, see the CA SiteMinder Secure Proxy Server Administration Guide.

When signout is initiated at the Account Partner, the process flow is as follows:

  1. The user clicks on a link at the Account Partner to end his global session. The user's browser sends a HTTP-based wsignout request to the signout servlet at the Account Partner.
  2. FWS renames the SMSESSION cookie to SESSIONSIGNOUT to invalidate the user's current session.
  3. FWS reads the SessionId value from the SESSIONSIGNOUT cookie and calls the SLO Tunnel Service API to terminate the user session from the session store.
  4. The SLO Tunnel Service API sets the user session status to "Terminated" in the session store and removes all the RP references from the session store that are associated with that user session.
  5. The SLO Tunnel Service API returns the logout status "Terminated" to the FWS Signout Servlet. The Tunnel library also returns the RP providerID and providerType for all the RPs associated with the user session.
  6. FWS retrieves the RP's provider configuration data, which includes the signout cleanup URL, from the provider's cache maintained in FWS.
  7. FWS removes the SESSIONSIGNOUT cookie then posts an AP Signout message and multiple RP-SignoutCleanup locations as post data to the SignoutConfirmURL JSP. The SignoutConfirmURL JSP is responsible for parsing various post variables and creating a frame-based HTML page. The main frame in this HTML page displays the AP-SignOut message. Each of the remaining frames accesses the SignoutCleanupURL of individual RPs associated with the user session.
  8. The user's browser accesses SignoutCleanup service at the Resource Partner site in an individual frame.
  9. When FWS (Signout Servlet) at the Resource Partner receives a wsignoutcleanup request, it renames the SMSESSION cookie to SESSIONSIGNOUT and calls the SLO Tunnel Service API to process the wsignoutcleanup request.
  10. The SLO tunnel library processes the wsignoutcleanup request and terminates the user session from the session store.
  11. Then SLO tunnel library returns FWS with a "Terminated" status message indicating that the user session no longer exists in the session store.
  12. The FWS Signout Servlet removes the SESSIONSIGNOUT cookie and returns a 200 OK response in the frame.

Note: Steps 8-12 are repeated for individual RPs simultaneously in different frames of the same HTML page.

Copyright © 2010 CA. All rights reserved. Email CA about this topic