Previous Topic: Enable Single Logout at the IdPNext Topic: Enable a Persistent Session to Store Assertions at the IdP

Federation Security Services GuideDeploy Federation Using a Manual ConfigurationAdd Functionality to the Federation DeploymentProtect the Target Resource at the SPEnable Single Logout at the SP

Enable Single Logout at the SP

You can initiate single logout at the Service Provider.

To configure single logout at the SP

  1. Verify that the realm with the protected resources is configured for persistent sessions.
  2. From the Authentication Scheme Properties dialog, click Additional Configuration.

    The SAML 2.0 Auth Scheme Properties dialog opens.

  3. Select the SLO tab.
  4. Select the HTTP-Redirect checkbox.

    The rest of the fields become active.

  5. Complete the fields as follows:
    SLO Location URL

    http://www.idp.demo:80/affwebservices/public/saml2slo

    SLO Confirm URL

    http://www.sp.demo:81/spsample/SLOConfirm.jsp

  6. Accept the default values for all other fields.
  7. From the Policy Server Management Console, enable the session server.
Test Single Logout

Use the web pages included with the sample application to test single logout. To have access to these pages, you must have run the sample application.

The web pages are located in the following two folders.

policy_server_home/samples/federation/content/idpsample

policy_server_home/samples/federation/content/spsample
policy_server_home

Specifies the installed location of the SiteMinder Policy Server.

Important! If you have run the sample application, the idpsample and spsample folders are automatically copied into the document root directory of your web server.

If you have not run the sample application, use your own web pages. Verify that your HTML page for testing SP-initiated single sign-on includes a hard-coded link to the single logout service.

After you have successfully tested single sign-on, you can test single logout from the SP.demo welcome page.

To test single logout

On the SP Welcome page, click the link labeled Single Logout using HTTP Redirect binding.

If single logout is successful, the following page appears:

Graphic showing a logout page

Configure SAML 2.0 Artifact Single Sign-on

Complete tasks at the Identity Provider and Services Provider to configure artifact single sign-on.

Required tasks at the Identity Provider:

Required tasks at the Service Provider:

Set Up the IdP Session Store for Artifact Single Sign-on

For artifact binding, set up and enable the session store at the IdP. When you use the artifact binding, the session store is required to store the assertion before it is retrieved with the artifact.

To enable the session store

  1. Install and configure an ODBC database to serve as the session store. In this deployment, we are using Microsoft SQL Server.

    For instructions, see the Policy Server Installation Guide.

  2. Open the Policy Server Management Console.
  3. Select the Data tab.
  4. Select Session Server From the Database drop-down list.
  5. Complete the following fields:
    Data Source Information

    SiteMinder Session Data Source

    User Name

    admin

    Password

    dbpassword

    Confirm Password

    dbpassword

    Maximum connections

    16 (default)

  6. Select the Enable Session Server check box.
  7. Click OK to save the settings.
  8. Enable SSL for the IdP Web Server for Artifact Single Sign-on.
Enable SSL for the IdP Web Server for Artifact Single Sign-on

Enable SSL for the web server where the Web Agent Option Pack is installed. Enabling SSL verifies that the back channel over which the assertion is passed is secure.

Follow these steps:

  1. Create a server-side certificate request.
  2. Have the Certificate Authority sign the server-side certificate.
  3. Specify the server-side certificate in the web server configuration.

    For the IIS Web Server used in the sample network, the IIS Certificate Wizard would be used.

  4. Enable a Persistent Session to Store Assertions at the IdP.