JBoss Community Archive (Read Only)

PicketLink

Back-Channel Single Logout

Introduction

This document describes an alternative to the current implementation of the Single Logout Profile.

Currently, PicketLink supports SLO using the browser as an intermediary. In this case, LogoutRequest and LogoutResponse are sent between IdP and SPs using HTTP redirects. Depending on the number of partitcipants (SP) in a SSO session, this workflow is unfeasible, due to the number of redirects required to perform the logout.

Other issues are:

  • if one participant fails to process the logout, the remaining ones will not have the sessions invalidated.

  • Network issues or the unavailability  of an single SP can also break the logout flow.

Single Logout Overview

The Single Logout Profile works as follows:

images/author/download/attachments/82052377/async_slo.png

SAML defines two binding types for SLO:

  • Asynchronous Bindings (Front-Channel)

  • Synchronous Bindings (Back-Channel)

For more information, please take a look at the specification.

Currently, PicketLink provides SLO using a Asynchronous Binding, using the browser as intermediary for HTTP redirects between IdP and SPs.

Proposal

As an alternative, PicketLink may also provide support for Synchronous Bindings and avoid HTTP redirects between IdP and SPs using a browser as intermediary.

In this case, instead of sending HTTP redirects for each participant, IdP and SPs communicate with each other using a back-channel:

  1. User starts a Single Logout from an SP

  2. The SP sends a LogoutRequest to the IdP using a HTTP redirect

  3. The IdP iterates over the participant list and sends a LogoutRequest for each one using their respective SLO Binding URL or Service. The communication is done without requiring browser intervention.

  4. Each SP marks the user session as invalid.

Considering this scenario, the logout process would be much more fast and less  error - prone. If a specific SP fails to logout, others are not impacted.

Configuration

To enable back-channel SLO you just need to declare the SAML2LogoutHandler as follows: 

<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler">
    <Option Key="BACK_CHANNEL_LOGOUT" Value="true"/>
</Handler>

Known Issues

When a LogoutRequest is sent by the IdP to each SP, signatures are ignored only when processing logout requests from the back-channel

JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-11 12:18:21 UTC, last content change 2014-07-18 12:26:09 UTC.