[security-dev] SP-initiated Single Log Out

Adam Dong adamdong at vidder.com
Thu Dec 4 15:14:56 EST 2014

Is the configuration in pinketlink.xml ? But picketlink.xml only has <IdentityURL> which is the SSO url, not SLO url, right ?

-----Original Message-----
From: Adam Dong 
Sent: Thursday, December 04, 2014 10:46 AM
To: 'Pedro Igor Silva'
Cc: security-dev at lists.jboss.org
Subject: RE: [security-dev] SP-initiated Single Log Out


Thanks a lot for the reply. I should have mentioned I need to use front channel. A follow-up question: After I send ?GLO=true to my SP from a browser, ServiceProviderAuthenticator code would need to know IDP's SLO url to send SLO request, how to configure that (i.e., to let ServiceProviderAuthenticator to know IDP SLO url) ? 


-----Original Message-----
From: Pedro Igor Silva [mailto:psilva at redhat.com] 
Sent: Wednesday, December 03, 2014 5:03 PM
To: Adam Dong
Cc: security-dev at lists.jboss.org
Subject: Re: [security-dev] SP-initiated Single Log Out

Using front-channel SLO you need browser redirects. So you must send ?GLO=true to your SP from a browser.

But, if you are using back-channel SLO, I think you can invoke the IdP once with a ?GLO=true (using some http library) and it will invoke each SP to invalidate the session for the user. In this case, you need to pass the JSESSIONID from IdP, so it can restore user session and know the participants (SPs).

There is no API for that.

----- Original Message -----
From: "Adam Dong" <adamdong at vidder.com>
To: security-dev at lists.jboss.org
Sent: Wednesday, December 3, 2014 10:26:37 PM
Subject: [security-dev] SP-initiated Single Log Out


If I'd like to, from SP-side. initiate the SLO (single log out) programmatically (suppose it is the code behind a GUI "Logout" button), how to do that (which class and which method to call) ?



security-dev mailing list
security-dev at lists.jboss.org

More information about the security-dev mailing list