SAML - Configure Single Logout (SLO)

This document describes how to configure the system with Single Logout when PhenixID Server is setup as a SAML idP.

The Single Logout function will:

- Consume a SAML LogoutRequest from the initiating SP

- Kill the PhenixID server session

- Produce a SAML LogoutResponse and send it to the SP

Prerequisites

  • SAML Authentication scenario (any authentication method) configured.
  • (For 4.0 version, this patch must be applied).

Add SingleLogout URL

1. Logon to Configuration Manager

2. Open Scenarios and click the Federation scenario to be edited

3. Click the Identity Provider tab

4. Add a POST SLO URL:

https://<phenixid_server>/saml/authenticate/<SLO_authenticator_alias>

 

Example:

 

Fetch IDP entity ID value

1. Open the scenario you edited in the previous step

2. Click Identity Provider

3. Fetch the value of the Entity ID parameter. This will be used in later step.

Add SLO Authenticator

1. Open the Advanced tab

2. Open Authentication - HTTP

3. Add this authenticator:

 {
    "alias" : "SLO",
    "name" : "SAMLLogout",
    "configuration" : {
      "pipeID" : "pipeSLO"  
  },
    "id" : "SLO"
  }

4. Click Stage Changes and Commit Changes 

 

Add pipe

1. Open the Advanced tab

2. Open Pipes

3. Add this pipe. Make sure to replace the targetIDP parameter value.

{
    "id" : "pipeSLO",
    "valves" : [ {
      "name" : "LogoutConsumer",
      "config" : {
        "targetIDP" : "<replace_this_with_targetEntityID_fetched_in_previous_step>"
      }
    }, {
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.session_id}}"
      }
    }, {
      "name" : "SessionRemoveValve",
      "config" : { }
    } ]
  }

 

Example:

{
    "id" : "pipeSLO",
    "valves" : [ {
      "name" : "LogoutConsumer",
      "config" : {
        "targetIDP" : "https://ubuntu.anders.local:8443/saml/idp"
      }
    }, {
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.session_id}}"
      }
    }, {
      "name" : "SessionRemoveValve",
      "config" : { }
    } ]
  }

4. Click Stage changes and Commit changes.

Verify Logout URL in SAML IdP metadata

1. Open the scenario

2. Open the Identity Provider tab

3. Click View SAML IdP Metadata

4. Verify that a SingleLogout element now is displayed in the metadata.

5. Distribute the updated SAML IdP Metadata to the SP.