Forums, Documentation & Knowledge Base - ComponentSpace

Inform identity provider about logout


https://www.componentspace.com/forums/Topic12327.aspx

By FlorianM - 1/13/2023

Hello,
I have a question about SLO.
Is there a way to inform an identity provider (which does not support SLO) about the logout of a user on a service provider (which does support SLO)?

The problem is this:
Service Provider supports SLO but Identity Provider does not. (Identity Provider can send SLO-Command to Service Provider but Service Provider can not send to the Identity Provider because missing configuration for SingleLogoutService)

If a user logs on via the identity provider, logs off from the service provider and logs off from the identity provider at last, the identity provider starts SLO because it thinks it has to log off this user from the service provider.

So I would like to know if there is a way to tell the identity provider to ignore this user regarding SLO?
By ComponentSpace - 1/13/2023

The only logout mechanism included in the SAML specification is the exchange of SAML logout messages (ie SLO).

If this isn't possible, you're only other option is some proprietary solution that doesn't involve SAML logout messages (eg redirecting to a logout endpoint).

If the identity provider supports IdP-initiated SLO but not SP-initiated SLO, you could redirect to some endpoint in the IdP which then initiates the SLO. This assumes that the IdP makes such an endpoint available.