Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

This article describes the SAML Single Logout feature in the Smart ID Digital Access component.

SAML Single Logout (SLO) is a SAML flow that allows the end-user to log out from a single session and be automatically logged out of all related sessions that were established during Single Sign-On (SSO).

The end-user can initiate the SLO process from within the Identity Provider (IDP) or one of the Service Providers (SPs). Currently only the front channel SLO works with http-redirect.

Enable Single Logout when Digital Access acts as IDP

 Log in to Digital Access Admin
  1. Log in to Digital Access Admin with an administrator account.
 Enable Single Logout
  1. In Digital Access Admin, go to Manage Resource Access.
  2. Click SAML Federation and select the IDP.
  3. Click SAML Federation.
  4. Select the Export tab.
  5. Check Enable Single Logout.

IDP initiated logout flow

 IDP initiated logout flow

Logout flow

When the user clicks on logout from Digital Access, acting as IDP with single logout enabled:

  • The logout request will be sent to all the active SP sessions with that IDP.
  • In response to this, every SP will send a logout response and log out themselves.
  • The IDP will also be logged out.

Logout status

The status of the SP logout, whether it was successful or not, can be seen on the logout page.

Issues

If there is an issue in any of the SPs to logout, close all the browser windows to make sure there is no dangling session.

SP initiated logout flow

 SP initiated logout flow

Logout flow

When any participating SP initiates SLO with Digital Access as IDP:

  • The logout request is first sent to Digital Access.
  • Once Digital Access receives this request, it will further propagate to other participating SPs (SPs which have SLO endpoint in their metadata).
  • These SPs will in turn end their sessions.
  • The logout response is then sent to Digital Access from all SPs.
  • Digital Access will log itself out and also the SP that initiated the logout.

Issues

  • Digital Access, when acting as IDP, will wait for 3 seconds to receive logout responses from the SPs. If it takes longer, it will show that the logout has failed. This timeout period can be increased if there are more SPs in the slo-logoutpage.js.
  • If an SP fails to logout due to errors, or if the IDP session is expired, the logout flow will not be completed.

Other

 Branding

For branding customizations, modify the _slologoutPage.html and _sloResultsPage.html pages.

 Common issues
  • For SLO to work end to end, both IDP and all SPs must be configured to support SLO, otherwise various sessions not supporting SLO may not be terminated.
  • If any SP returns a logout failure response or if the IDP session is timed out, that would result in a failed SLO.

In case of all the above issues in which the single logout flow does not complete, it is strongly recommended to close the browser window to make sure dangling sessions are terminated.

 Limitations
  • SLO is meant to improve the user experience and security by removing the need for end-users to manually log out of all SSO sessions. However, there are some drawbacks in SLO.
  • SLO works only with a status code from for error messages. SLO works well only if both IDP and SP have SLO supported and enabled. So if any of the service providers do not have SLO supported and enabled, it might impact the complete flow and have a failed SLO.
  • Currently Digital Access only supports front channel SLO, which relies on session cookies in browsers. The SLO might also fail depending on the SameSite attribute value.
  • Back-channel logout approach is not yet implemented, as it requires a lot of orchestration and additional development effort to implement SOAP-based.
  • When DA is configured as IDP and either the same or different instance of DA is registered as one of the SP, the SLO has issues currently. This will be fixed in coming releases.

This article is valid for Smart ID 21.10 and later and Digital Access 6.1.0 and later.

Related information

  • No labels