The single logout protocol (SLO) results in the simultaneous end of all sessions for a particular user, thereby ensuring security. These session must be associated with the browser that initiated the logout. Single logout does not necessarily end all sessions for a user. For example, if the user has two browsers open, that user can establish two independent sessions. Only the session for the browser that initiates the single logout is terminated at all federated sites for that session. The session in the other browser will still be active. Single logout is triggered by a user-initiated logout.
Note: SiteMinder only supports the HTTP-Redirect binding for the single logout protocol.
By configuring the settings on the SLO tab you are informing the Identity Provider whether the Service Provider supports the single logout protocol, and if so, how single logout is handled.
If you enable single logout, you must also:
To configure single logout
The remaining fields become active.
Specifies the number of seconds that a single logout request is valid. This property is different from the Validity Duration on the SSO tab, which is for assertions. If the validity duration expires, a single logout response is generated and is sent to the entity who initiated the logout. The validity duration also depends on the skew time (set in the General tab) to calculate single logout message duration.
Entries for these fields must start with https:// or http://.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Federation Web Services redirects the user to the logout confirm page after the user’s session is completely removed at the Identity Provider and all Service Provider sites.
The SLO validity duration and Skew Time instruct the Policy Server how to calculate the total time that the single logout request is valid.
Note: The SLO Validity Duration is a different value from the SSO Validity Duration.
The two values that are relevant in calculating the logout request duration are referred to as the IssueInstant value and the NotOnOrAfter value. In the SLO response, the single logout request is valid until the NotOnOrAfter value.
When a single logout request is generated, the Policy Server takes its system time. The resulting time becomes the IssueInstant value, which is set in the request message.
The Policy Server determines when the logout request is no longer invalid. The Policy Server takes its current system time and adds the Skew Time plus the SLO Validity Duration. The resulting time becomes the NotOnOrAfter value. Times are relative to GMT.
For example, a log out request is generated at the Identity Provider at 1:00 GMT. The Skew Time is 30 seconds and the SLO Validity Duration is 60 seconds. Therefore, the request is valid between 1:00 GMT and 1:01:30 GMT. The IssueInstant value is 1:00 GMT and the single logout request message is no longer valid 90 seconds afterward.
To support single logout, have a logout confirmation page at your site. This page lets the user know they are logged out.
The logout confirmation page must satisfy the following criteria:
To receive feedback about a logout failure, the logout confirmation page must also support the following requirements:
By configuring the logout confirmation page to look for this cookie, the page can inform the user where the logout failed. This information is useful in networks where a user is logging out from multiple partner sites.
Additionally, if the SIGNOUTFAILURE cookie is found, the logout confirmation page must inform users to close the web browser to remove all session data.
Copyright © 2012 CA.
All rights reserved.
|
|