Single Logout (SLO) is a concept complementary to Single Sign-On (SSO).
- Single Sign-On (SSO): This authentication method allows Users to access multiple applications using a single set of login credentials. It simplifies the login process by eliminating the need to remember different Usernames and Passwords for various services. With SSO, once a User logs in, they gain secure access to multiple applications without re-entering their credentials.
- Single Logout (SLO): SLO works in the reverse direction. When a User logs out from one application (using SSO), SLO ensures that the User is also signed out from all other applications they accessed using the same set of credentials. In other words, if you log out from one service provider, all active sessions tied to that identity are terminated automatically. SLO relies on systems and architecture similar to those needed for SSO. The Security Assertion Markup Language (SAML) 2.0 provides a dedicated logout profile for implementing SLO.
Without SLO, Users would have to manually log out from every session they’ve signed into. With SLO, signing out from one service provider terminates all active sessions, making it vastly convenient.
SLO ensures that Users are completely logged out of their identity. Without it, there’s a risk that Users might forget some active sessions, leaving their identity partially logged in and posing a security threat. For example, an employee using a temporary workstation could inadvertently leave multiple applications logged in.
In summary, SLO enhances security and User experience by simplifying the logout process across multiple applications. It’s an effective counterpart to the convenience offered by SSO.
Configuring Single Logout in Absorb
A System Admin will be required to access Portal Settings and click the Manage SSO Settings button.
Single Logout is available for incoming SAML SSO configurations using one of the following Modes:
- Identity Provider Initiated
- Service Provider Initiated
If your SAML SSO configuration is using one of the above Modes, you will see the Single Logout toggle.
Click the Single Logout toggle to expand the External Single Logout Url field and Wait for IdP Response toggle.
In the External Single Logout Url field enter the SLO endpoint that you want to direct Single Logout requests to. This URL will be specific to your configuration, or SSO provider.
Even if the option for Single Logout appears on the Manage Single Sign-On Settings
page, your SSO provider may not allow for Single Logout. Confirm your configuration and provider supports Single Logout if you can't locate an External Single Logout Url.
Wait for IdP Response
The Wait for IdP Response toggle defaults to being disabled. Click the toggle to enable it.
- Enabled: The Portal will wait until the IdP sends the response back to the LMS to logout the User. This follows the order of operations described in this article.
- Disabled: The Portal will logout the User regardless of if the SLO flow is successful on the IdP side.
Logout URL
The Logout URL is a field on the Manage Single Sign-On Settings page that can be used in place of, or alongside Single Logout. A Logout URL can be any URL that you want to direct a User to when they sign out of your Portal.
Signing out and being directed to a Logout URL does not transfer credentials, or sign an SSO identity out from any instances. This manages only the URL that User will land on after signing out.
External Configuration
On the Absorb side of the configuration there is only the Single Logout toggle, External Single Logout Url field and Wait for Idp Response toggle.
This is not the full extent of configuration required for a Single Logout flow to be successful. There is an external component that may change between configurations or SSO providers. This section details the required components of this setup.
Single Logout follows this order of operations:
-
A User clicks Logout in Absorb.
-
Absorb performs a GET call with SAMLRequest as a URL parameter to the External Single Logout Url.
-
The IdP verifies the request, and responds with a SAML POST to /api/rest/v2/authentication/samlLogout
-
Absorb verifies the response and then performs an HTTP redirect to the Logout URL (if applicable).
Important Fields for Single Logout
For a SAML Authentication Response (SAML Response) sent to the LMS, the following elements are required:
-
SAML Assertion: All the elements as denoted below:
-
Assertion: The package element of information with one or more statements.
-
ID: Identifier for this assertion.
-
IssueInstant: Time that the instant is issued in UTC.
-
Version: The SAML version for this assertion, should be “2.0”.
-
Issuer: The authority making the claim in this assertion, should be the URI for your IdP.
-
<ds: Signature>: Contains the XML Signature that protects the integrity of this assertion.
-
Subject: The package element for the subject’s (user) identity.
-
NameId: The ID Property identifier as configured in Absorb SSO settings.
-
Conditions: Contains information that denotes the validity of the assertion.
-
NotBefore: A time instant in UTC.
-
NotOnOrAfter: A time instant in UTC.
-
AuthnStatement: Contains information of the assertion subject.
-
AuthnInstant: A time instant in UTC.
-
AuthnContext: The context of the authentication event.
-
-
SessionIndex: Part of the AuthStatement, contains a session identifier.
For a SAML Logout Response (LogoutResponse) sent to the LMS, the following elements are required:
-
Issuer: The authority making the claim in this assertion, should be the URI for your IdP.
-
<ds: Signature>: Contains the XML Signature that protects the integrity of this assertion.
-
Status: Contains the StatusCode.
Comments
Article is closed for comments.