This document describes an alternative to the current implementation of the Single Logout Profile.
Currently, PicketLink supports SLO using the browser as an intermediary. In this case, LogoutRequest and LogoutResponse are sent between IdP and SPs using HTTP redirects. Depending on the number of partitcipants (SP) in a SSO session, this workflow is unfeasible, due to the number of redirects required to perform the logout.
Other issues are:
- if one participant fails to process the logout, the remaining ones will not have the sessions invalidated.
- Network issues or the unavailability of an single SP can also break the logout flow.
The Single Logout Profile works as follows:
SAML defines two binding types for SLO:
- Asynchronous Bindings (Front-Channel)
- Synchronous Bindings (Back-Channel)
For more information, please take a look at the specification.
Currently, PicketLink provides SLO using a Asynchronous Binding, using the browser as intermediary for HTTP redirects between IdP and SPs.
As an alternative, PicketLink may also provide support for Synchronous Bindings and avoid HTTP redirects between IdP and SPs using a browser as intermediary.
In this case, instead of sending HTTP redirects for each participant, IdP and SPs communicate with each other using a back-channel:
- User starts a Single Logout from an SP
- The SP sends a LogoutRequest to the IdP using a HTTP redirect
- The IdP iterates over the participant list and sends a LogoutRequest for each one using their respective SLO Binding URL or Service. The communication is done without requiring browser intervention.
- Each SP marks the user session as invalid.
Considering this scenario, the logout process would be much more fast and less error-prone. If a specific SP fails to logout, others are not impacted.
To enable back-channel SLO you just need to declare the SAML2LogoutHandler as follows:
When a LogoutRequest is sent by the IdP to each SP, signatures are ignored only when processing logout requests from the back-channel