SAML Single Logout
Single sign-on (SSO) allows a user to sign on with one set of credentials and gain access to multiple applications and services. SSO improves safety and offers clients, staff and associates with a better user experience by decreasing the number of necessary accounts / passwords and offering easier access to all the applications and services they need.
What about Single Logout(SLO)? After all, authentication(SSO) is only the first half of the story.
With single sign-on (SSO), you only need to log in once, and can then access several websites without additional login prompts. so it’s easy for them to be unaware that they have other sessions open. All these open sessions are vulnerable to some attacks(Cross-Site Request Forgery (CSRF) and session hijacking, etc..). Signing out from one of service providers doesn’t mean you are signing out from the identity provider and terminates all the logged sessions. End-users rarely log out of each session established during SSO.
That’s where Single Logout comes into play. With single logout (SLO), your users can log out from a single application and be automatically logged out from all connected apps. So using SLO, we can eliminate that risk.
The SAML protocol is a popular choice for enabling SSO and contains a built-in feature called SAML Single Logout (SLO).
“The SAML single logout protocol provides a message exchange protocol by which all sessions provided by a particular session authority are near-simultaneously terminated.”
This protocol helps address the problem of orphaned logins. SLO allows a user to terminate all server sessions established via SAML SSO by initiating the logout process once.
The single logout protocol can be combined with a synchronous binding, such as the SOAP binding, or with asynchronous “front-channel” bindings, such as the HTTP Redirect, POST, or Artifact bindings.
SAML Single Logout has two different use cases:
- Service provider(SP) initiated logout.
- Identity Provider(IdP) initiated logout.
SP-initiated SAML Single Logout
- User clicks the Logout button and initiates the logout.
- Service provider(SP) issues a digitally signed <LogoutRequest> SAML message to the Identity provider(IdP).
- The IdP validates the <LogoutRequest> and determines the other SPs that support SLO to which the end-user received SSO during the current logon session. The IdP then iteratively issues a new digitally signed <LogoutRequest> for each participating SPs.
- Each SP terminates its own logon session for the end user after receiving and validating the LogoutRequest from the IdP and returns a <LogoutResponse> to the IdP.
- After receiving <LogoutResponse> from other SPs, the IdP terminates the principal session and issues a <LogoutResponse> message to the original requesting SP.
- The SP displays a logout page to the end-user.
IdP-initiated SAML Single Logout
- User clicks a “Logout” link on the IdP on that calls into the IdP’s SLO endpoint/URL.
- The IdP determines the other SPs that support SLO to which the end-user received SSO during the current logon session. The IdP then iteratively issues a new digitally signed <LogoutRequest> for each participating SPs.
- Each SP terminates its own logon session for the end user after receiving and validating the LogoutRequest from the IdP and returns a <LogoutResponse> to the IdP.
- Upon receiving the final LogoutResponse, the IdP terminates its session.
- The IdP displays a logout page to the end-user.
SAML Single Logout implementation will mitigate the risk of orphaned SSO sessions and allow users to log out with (more) confidence.
WSO2 Identity Server which is an open-source IAM product distributed under the Apache 2.0 license, supports both Asynchronous Binding (Front-Channel) and Synchronous Binding (Back-Channel) for Single Logout profile as SAML2 specification defines.
And if you are in the hunting of an IAM solution, give a shot to WSO2 Identity & Access Management solution,which is a widely recognized and powerful solution if you are looking for high security.
References:
