Show TOC

SLO with SAML 2.0Locate this document in the navigation structure

Use

Single Log-Out (SLO) enables users to cleanly close all their sessions in a SAML landscape, even across domains. Not only does this save system resources that would otherwise remain reserved until the sessions time out, and SLO also mitigates the risk of the hijacking of unattended sessions.

Process

SAML provides a number of binding options to pass SAML messages back and forth between the identity provider and the service provider.

  • Front channel

    For front-channel communication, SAML messages are passed back and forth over the user agent with HTTP redirect or HTTP POST methods.

  • Back channel

    For back-channel communication, the identity provider and service provider can use either SAML artifacts or communicate directly over SOAP. For SAML artifacts, the identity provider and service provider exchange SAML artifacts over the user agent. When a provider receives an artifact, it queries the other provider directly over SOAP to resolve the artifact. For the SOAP binding, the providers pass no artifacts. They exchange SAML messages directly over SOAP.

Back-channel communication provides additional security, by ensuring that potential eavesdroppers of the user agent cannot access the SAML messages. However, the artifact binding requires additional round trips to resolve an authentication request. You can protect front-channel communication with encryption and digital signatures. You can mix the communication options.

The figure below illustrates SLO initiated at the service provider over a front-channel binding, such as HTTP redirect, and between the identity provider and the other service providers over a back-channel binding, such as SOAP over HTTP.

Figure 1: Process Flow for SLO with SAML 2.0

  1. The user initiates a logout request at a service provider.

  2. The service provider forwards this request to an identity provider.

  3. After the identity provider validates the request, it sends new logout requests to all other service providers, with which the user has a security session that the identity provider is aware of.

  4. The service providers validate the request, destroy any session information for the user, and send a logout response to the identity provider.

  5. The identity provider destroys the user's sessions and sends a response to the original service provider.

  6. The original service provider informs the user that he or she has been logged out.

More Information