Skip to end of metadata
Go to start of metadata

Introduction

This document describes an alternative to the current implementation of the Single Logout Profile.

Currently, PicketLink supports SLO using the browser as an intermediary. In this case, LogoutRequest and LogoutResponse are sent between IdP and SPs using HTTP redirects. Depending on the number of partitcipants (SP) in a SSO session, this workflow is unfeasible, due to the number of redirects required to perform the logout.

Other issues are:

  • if one participant fails to process the logout, the remaining ones will not have the sessions invalidated.
  • Network issues or the unavailability of an single SP can also break the logout flow.

Single Logout Overview

The Single Logout Profile works as follows:

SAML defines two binding types for SLO:

  • Asynchronous Bindings (Front-Channel)
  • Synchronous Bindings (Back-Channel)

For more information, please take a look at the specification.

Currently, PicketLink provides SLO using a Asynchronous Binding, using the browser as intermediary for HTTP redirects between IdP and SPs.

Proposal

As an alternative, PicketLink may also provide support for Synchronous Bindings and avoid HTTP redirects between IdP and SPs using a browser as intermediary.

In this case, instead of sending HTTP redirects for each participant, IdP and SPs communicate with each other using a back-channel:

  1. User starts a Single Logout from an SP
  2. The SP sends a LogoutRequest to the IdP using a HTTP redirect
  3. The IdP iterates over the participant list and sends a LogoutRequest for each one using their respective SLO Binding URL or Service. The communication is done without requiring browser intervention.
  4. Each SP marks the user session as invalid.

Considering this scenario, the logout process would be much more fast and less error-prone. If a specific SP fails to logout, others are not impacted.

Configuration

To enable back-channel SLO you just need to declare the SAML2LogoutHandler as follows:

Known Issues

When a LogoutRequest is sent by the IdP to each SP, signatures are ignored only when processing logout requests from the back-channel

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.