The single logout (SLO) profile allows near-simultaneous logout of all sessions that a specific session authority provides and which are associated with a particular user. The user initiates the logout directly. A session authority is the authenticating entity that has initially authenticated the user. In most cases, the session authority is the Identity Provider.
Single logout helps ensure that no sessions are left open for unauthorized users to gain access to resources at the Service Provider.
The user can initiate single logout service from a browser by clicking a link at the Service Provider or at the Identity Provider. The user clicks the logout link which points to an SLO servlet. This servlet, which is a component of Federation Web Services, processes logout requests and responses coming from a Service Provider or Identity Provider. The servlet does not need to know the originator of the request or response. The servlet uses the SiteMinder session cookie to determine the session to log out.
The single logout feature transports messages using the HTTP-Redirect binding. This binding determines how SAML protocol messages are transported using HTTP redirect messages, which are 302 status code responses.
|
Copyright © 2012 CA.
All rights reserved.
|
|