SAML - Configure Single Logout (SLO)
This document describes how to configure the system with Single Logout when PhenixID Server is setup as a SAML idP.
The Single Logout function will:
- Consume a SAML LogoutRequest from the initiating SP
- Kill the PhenixID server session
- Produce a SAML LogoutResponse and send it to the SP
Prerequisites
- SAML Authentication scenario (any authentication method) configured.
Add SingleLogout URL
1. Logon to Configuration Manager
2. Open Scenarios and click the Federation scenario to be edited
3. Click the Identity Provider tab
4. Add a POST SLO URL:
https://<phenixid_server>/saml/authenticate/<SLO_authenticator_alias>
Example:
Fetch targetEntityID value
1. Open the scenario you edited in the previous step
2. Click Execution Flow
3. Click the execution flow containing the AssertionProvider valve
4. Show the AssertionProvider valve
5. Fetch the value of the targetEntityID parameter. This will be used in later step.
Add SLO Authenticator
1. Open the Advanced tab
2. Open Authentication - HTTP
3. Add this authenticator:
{
"alias" : "SLO",
"name" : "SAMLLogout",
"configuration" : {
"pipeID" : "pipeSLO"
},
"id" : "SLO"
}
4. Click Stage Changes and Commit Changes
Add pipe
1. Open the Advanced tab
2. Open Pipes
3. Add this pipe. Make sure to replace the targetIDP parameter value.
{
"id" : "pipeSLO",
"valves" : [ {
"name" : "LogoutConsumer",
"config" : {
"targetIDP" : "<replace_this_with_targetEntityID_fetched_in_previous_step>"
}
}, {
"name" : "SessionLoadValve",
"config" : {
"id" : "{{request.session_id}}"
}
}, {
"name" : "SessionRemoveValve",
"config" : { }
} ]
}
4. Click Stage changes and Commit changes.
Verify Logout URL in SAML IdP metadata
1. Open the scenario
2. Open the Identity Provider tab
3. Click View SAML IdP Metadata
4. Verify that a SingleLogout element now is displayed in the metadata.
5. Distribute the updated SAML IdP Metadata to the SP.