Federation Security Services GuideFederation Security Services OverviewFederation Security Services Process Flow › Flow Diagram for WS-Federation Signout (RP-initiated)

Previous Topic: Flow Diagram for WS-Federation Signout (AP-initiated)

Next Topic: Flow Diagram for Identity Provider Discovery Profile

Flow Diagram for WS-Federation Signout (RP-initiated)

The illustration that follows shows the detailed flow for a signout request between a user's browser and the Federation Security Service components deployed at an Account Partner (AP) and Resource Partner sites. This set-up enables signout for all entities that have a session with a particular user.

The following diagram assumes that the RP initiates the sign out request.

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack, which provide the FWS application functions. For information about installing and configuring the SPS federation gateway, see the CA SiteMinder Secure Proxy Server Administration Guide.

When signout is initiated at the Resource Partner, the process flow is as follows:

  1. The user clicks on a link at the Resource Partner to end his global session. The user's browser sends a HTTP-based wsignout request to the Signout servlet at the Resource Partner.

    Note: that the RP site is receiving a wsignout message and not a wsignoutcleanup message.

  2. FWS reads the SessionId value from the SMSESSION cookie, renames the SMSESSION cookie to SESSIONSIGNOUT, and calls the SLO tunnel library with the wsignout request.
  3. Based on the information found in session store, the tunnel library determines that the user session was created by consuming a SAML assertion from an Account Partner. The SLO tunnel library sets the user session state to SignoutInProgress, but does not terminate it.
  4. The tunnel library returns the SignoutInProgress state message and the Account Partner providerID and providerType.
  5. FWS retrieves Account Partner configuration data, which includes the Signout URL, from the FWS cache or Policy Server.
  6. FWS redirects the user's browser to the Signout URL.
  7. FWS removes the SESSIONSIGNOUT cookie then posts an AP Signout message and multiple RP-SignoutCleanup locations as post data to the SignoutConfirmURL JSP. The SignoutConfirmURL JSP is responsible for parsing various post variables and creating a frame-based HTML page. The main frame in this HTML page displays the AP-SignOut message. Each of the remaining frames accesses the SignoutCleanupURL of individual RPs associated with the user session.
  8. The user's browser accesses SignoutCleanup service at the Resource Partner site in an individual frame.
  9. When FWS (Signout Servlet) at the Resource Partner receives a wsignoutcleanup request, it renames the SMSESSION cookie to SESSIONSIGNOUT and calls the SLO Tunnel Service API to process the wsignoutcleanup request.
  10. The SLO tunnel library processes the wsignoutcleanup request and terminates the user session from the session store.
  11. Then SLO tunnel library returns FWS with a Terminated status message indicating that the user session no longer exists in the session store.
  12. The FWS Signout Servlet removes the SESSIONSIGNOUT cookie and returns a 200 OK response in the frame.

Note: Steps 8-12 are repeated for individual RPs simultaneously in different frames of the same HTML page.

Copyright © 2010 CA. All rights reserved. Email CA about this topic