Skip to main content
Skip table of contents

Single Logout support in Veridium IdP

Starting with version 3.5, our IdP support has an addition for logout and Single Logout actions.
SLO is complementary to SSO (Single Sign-On) and lets users log out from the applications they previously logged into using SSO. When a user logs out from one of the applications, all the other applications that use the authentication from the identity provider (IdP) also log out the user from their respective applications. This means users don't have to log out from every application they previously logged into.

How SLO Works

SAML is the open standard that is commonly used for implementing SSO. The Single Logout Protocol is defined in section 3.7. With SAML, three entities are involved in the workflow, including the following:

  • User agents access the application. In many situations, the user agent is the web browser the user uses to access different applications.

  • Service providers (SP) are the applications that the users need to access, such as Google Calendar or Instagram.

  • The Identity provider (IdP) manages the identity and credentials of the users that need to access various service providers. IdPs authenticate and authorize users on behalf of multiple service providers.

These three entities are also involved in SLO. For example, consider a user that has already used SSO to log into multiple service providers using IdP. When that user logs into an application with SSO, a NameID and a unique SessionIndex (optional attribute) are exchanged between the SP and IdP. NameID represents the user that is being authenticated, and SessionIndex represents a particular session on the service provider. These attributes are maintained by both SP and IdP to identify an SSO session.

If the user used SSO to log in to three SP applications, App1, App2, and App3, and then the user clicks on the Logout button in App1, a logout request is issued by App1 and sent to the IdP/SSO provider with the NameID and SessionIndex (if present). To log the user out from all other SP applications, the IdP/SSO provider identifies all of the user’s active sessions using their NameID.

Configuration

The SLO may be configured in Veridium Manager in Settings / Connectors / SAML section and can be configured as explained below:

  • Enable Single Logout (SLO) Activates the SLO and the persistence of the sessions to Cassandra. It contains a configurable parameter:

    • Default SP lifetime - Controls how long the IdP will 'remember' an SP's session

Changing the SLO status will trigger Shibboleth IdP service restart.

  • Since this feature was not supported the Shibboleth IdP metadata may have the SLO endpoints disabled, to avoid any misconfiguration during SP-IDP integration.

Enable SLO endpoints in the metadata in Veridium Manager:

  1. Navigate in Settings / Advanced / shibboleth / idp-metadata.xml

  2. Search for SingleLogoutService entries.

  3. Check if the endpoints are disabled:

    1. If they are disabled, they should be enabled by removing the <!-- ... --> comment and save the changes.

    2. If they are already enabled no action is needed

When the IdP metadata is changed the integrated SAML applications should be resynchronized with the new metadata changes.

SLO in Self Service Portal

Related to the SLO is a change affecting Self Service Portal. In order to take advantage of this feature logging out of SSP can trigger a SLO, but needs to be enabled.

  1. Navigate to Settings / Services / SSP / Saml Configuration (tab)

  2. Enable the Logout all other sessions flag

  3. Save the configuration change

Changing the SLO status will triggers SSP service restart.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.