Understanding the SAML SP-Initiated Single Logout (SLO) Flow


 In today's world of web-based applications and Single Sign-On (SSO), managing user sessions efficiently and securely is essential. While Single Sign-On (SSO) allows users to authenticate once and access multiple services, Single Logout (SLO) ensures that when a user logs out from one service, their session is terminated across all connected services. SAML (Security Assertion Markup Language) plays a crucial role in implementing SP-Initiated SLO, providing a standardized method for ensuring a user's session is properly ended across multiple systems.

In this article, we’ll explain the high-level flow of the SP-Initiated SLO process, covering the interaction between the essential components: the End User/Browser, Service Provider (SP), Identity Provider (IDP), and the Identity Store (LDAP).


High-Level SP-Initiated SLO Flow

In the SP-Initiated SLO process, the logout is initiated by the Service Provider (SP), and the goal is to terminate the user's session across all systems involved (the SP and the IDP). Here's a step-by-step breakdown of the flow:

1. User Requests to Log Out from the SP

The flow begins when the end user decides to log out from the Service Provider (SP). This could happen when the user clicks a "Log Out" button or attempts to close the application. The SP will initiate the SLO process to ensure that the user's session is terminated everywhere, not just within the service they are logging out of.

  • Action: The user clicks "Log Out" on the SP interface, signaling the SP to begin the logout process.

2. SP Sends Logout Request to the Identity Provider (IDP)

After the user logs out of the SP, the SP sends a SAML Logout Request to the Identity Provider (IDP). This request informs the IDP that the user’s session should be ended, not just with the SP, but across all applications and services that are relying on the same IDP for authentication.

  • Action: The SP sends a SAML logout request to the IDP, informing the IDP that the user wants to log out and terminate their session.

3. IDP Processes the Logout Request

Upon receiving the SAML Logout Request from the SP, the IDP processes the request by checking the user’s session to ensure it is valid. If the user is authenticated and currently logged in, the IDP will proceed to invalidate the session.

If necessary, the IDP may also consult the Identity Store (LDAP) to manage the session information and ensure all session-related data is cleared.

  • Action: The IDP checks the user's session and invalidates the session. It may consult the LDAP to ensure session data is removed.

4. IDP Sends Logout Response to the SP

Once the IDP has successfully invalidated the user's session, it will send a SAML Logout Response back to the SP. This response confirms that the IDP has processed the logout request and terminated the session. The SP can then proceed with cleaning up the user’s session locally.

  • Action: The IDP sends a SAML Logout Response back to the SP, confirming the user’s session has been terminated.

5. SP Ends the User's Session and Redirects the User

After receiving the SAML Logout Response from the IDP, the SP ends the user’s session locally. This includes deleting any session cookies or tokens that were used to maintain the user’s authenticated state.

Once the session is terminated, the SP may also redirect the user to a confirmation page, a homepage, or another appropriate URL, such as a login page or a public-facing page, depending on the configuration.

  • Action: The SP clears the user's session, deletes session cookies, and redirects the user to an appropriate page (e.g., a logout confirmation or homepage).

6. User is Logged Out Across All Applications

At this point, the user has been logged out from both the SP and the IDP. If the user had active sessions with other service providers that relied on the same IDP, they are now logged out from those services as well, as the IDP has invalidated the session globally.

  • Action: The user is logged out from all applications that are federated through the IDP.

Share on Google Plus

About Satya

Satya is an IAM Engineer and the Editor of Techstotle.com. He possesses a deep passion for Identity and Access Management (IAM) technologies, with a particular focus on PingFederate and PingAM. Satya is dedicated to demystifying these complex technologies and making them accessible to a wider audience. Techstotle.com serves as a one-stop shop for the latest IAM insights, featuring comprehensive tutorials on PingFederate and PingAM. Join Satya on this journey of tech exploration as he empowers you to navigate the ever-evolving world of IAM.

0 comentários:

Post a Comment