Document toolboxDocument toolbox

SAML Single Logout in Digital Access

This article is valid for Smart ID 21.10 and later and Digital Access 6.1.0 and later.

This article describes the SAML Single Logout feature in the Smart ID Digital Access component.

SAML Single Logout (SLO) is a SAML flow that allows the end-user to log out from a single session and be automatically logged out of all related sessions that were established during Single Sign-On (SSO).

The end-user can initiate the SLO process from within the Identity Provider (IDP) or one of the Service Providers (SPs). Currently only the front channel SLO works with http-redirect.

Enable Single Logout when Digital Access acts as IDP

  1. Log in to Digital Access Admin with an administrator account.



  1. In Digital Access Admin, go to Manage Resource Access.

  2. Click SAML Federation and select the IDP.

  3. Click SAML Federation.

  4. Select the Export tab.

  5. Check Enable Single Logout.


IDP initiated logout flow

Logout flow

When the user clicks on logout from Digital Access, acting as IDP with single logout enabled:

  • The logout request will be sent to all the active SP sessions with that IDP.

  • In response to this, every SP will send a logout response and log out themselves.

  • The IDP will also be logged out.

Logout status

The status of the SP logout, whether it was successful or not, can be seen on the logout page.

Issues

If there is an issue in any of the SPs to logout, close all the browser windows to make sure there is no dangling session.

SP initiated logout flow

Logout flow

When any participating SP initiates SLO with Digital Access as IDP:

  • The logout request is first sent to Digital Access.

  • Once Digital Access receives this request, it will further propagate to other participating SPs (SPs which have SLO endpoint in their metadata).

  • These SPs will in turn end their sessions.

  • The logout response is then sent to Digital Access from all SPs.

  • Digital Access will log itself out and also the SP that initiated the logout.

Issues

  • Digital Access, when acting as IDP, will wait for 3 seconds to receive logout responses from the SPs. If it takes longer, it will show that the logout has failed. This timeout period can be increased if there are more SPs in the slo-logoutpage.js.

  • If an SP fails to logout due to errors, or if the IDP session is expired, the logout flow will not be completed.

Other

For branding customizations, modify the _slologoutPage.html and _sloResultsPage.html pages.







Related information

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions