Federation Security Services Guide › Federation Security Services Overview › Solutions for Federation Use Cases › Solution 5: Single Logout (SAML 2.0)
Solution 5: Single Logout (SAML 2.0)
Solution 5 illustrates how SiteMinder Federation Security Services can be employed to solve Use Case 5: Single Logout.
In this solution:
- smcompany.com is the Identity Provider
- ahealthco is the Service Provider that initiates the logout request.
- Single logout is enabled using the FSS Administrative UI at the Identity Provider and the Service Provider.
The following figure shows the SiteMinder solution for single logout.
Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the SiteMinder Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the CA SiteMinder Secure Proxy Server Administration Guide.
The sequence of events is as follows:
- Employee performs single sign-on between smcompany.com and ahealthco.com. Smcompany.com places information about ahealthco.com in its session server. Ahealthco.com places information about smcompany.com in its session server.
- After the employee has finished looking at her health benefits, she clicks a log out link at the Service Provider. This user's browser accesses the single logout servlet at the Service Provider.
- The user's session is terminated from the Service Provider's session store.
Note: This does not remove the session from the session store; it merely sets the state to LogoutInProgress.
- Based on information in the session store, the session is identified as one created by a SAML assertion received from the Identity Provider, smcompany.com.
- The user's browser is forwarded to the single logout servlet at smcompany.com, the Identity Provider, with the logout request message as a query parameter.
- The Identity Provider invalidates the user's session from all Service Providers associated with that user's session, other than ahealthco.com, who initiated the logout request. After all Service Providers confirm the logout, the Identity Provider removes the user session from its session store.
Note: Other Service Providers are not identified in the illustration.
- The Identity Provider returns a logout response message to ahealthco.com, the initiating Service Provider, and the user's session is removed from the session store.
- The user is finally sent to a logout confirmation page at ahealthco.com.
Terminating both sessions ensures that an unauthorized employee cannot use the existing session to view benefits of the authorized employee.