Using front-channel SLO you need browser redirects. So you must send ?GLO=true to your SP from a browser. But, if you are using back-channel SLO, I think you can invoke the IdP once with a ?GLO=true (using some http library) and it will invoke each SP to invalidate the session for the user. In this case, you need to pass the JSESSIONID from IdP, so it can restore user session and know the participants (SPs). There is no API for that. ----- Original Message ----- From: "Adam Dong" <adamdong(a)vidder.com&gt; To: security-dev(a)lists.jboss.org Sent: Wednesday, December 3, 2014 10:26:37 PM Subject: [security-dev] SP-initiated Single Log Out Hi, If I'd like to, from SP-side. initiate the SLO (single log out) programmatically (suppose it is the code behind a GUI "Logout" button), how to do that (which class and which method to call) ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev

Is the configuration in pinketlink.xml ? But picketlink.xml only has <IdentityURL> which is the SSO url, not SLO url, right ? -----Original Message----- From: Adam Dong Sent: Thursday, December 04, 2014 10:46 AM To: 'Pedro Igor Silva' Cc: security-dev(a)lists.jboss.org Subject: RE: [security-dev] SP-initiated Single Log Out Pedro, Thanks a lot for the reply. I should have mentioned I need to use front channel. A follow-up question: After I send ?GLO=true to my SP from a browser, ServiceProviderAuthenticator code would need to know IDP's SLO url to send SLO request, how to configure that (i.e., to let ServiceProviderAuthenticator to know IDP SLO url) ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva@redhat.com] Sent: Wednesday, December 03, 2014 5:03 PM To: Adam Dong Cc: security-dev(a)lists.jboss.org Subject: Re: [security-dev] SP-initiated Single Log Out Using front-channel SLO you need browser redirects. So you must send ?GLO=true to your SP from a browser. But, if you are using back-channel SLO, I think you can invoke the IdP once with a ?GLO=true (using some http library) and it will invoke each SP to invalidate the session for the user. In this case, you need to pass the JSESSIONID from IdP, so it can restore user session and know the participants (SPs). There is no API for that. ----- Original Message ----- From: "Adam Dong" <adamdong(a)vidder.com&gt; To: security-dev(a)lists.jboss.org Sent: Wednesday, December 3, 2014 10:26:37 PM Subject: [security-dev] SP-initiated Single Log Out Hi, If I'd like to, from SP-side. initiate the SLO (single log out) programmatically (suppose it is the code behind a GUI "Logout" button), how to do that (which class and which method to call) ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev

Thanks for the pointers. One last follow-up question, after all the SLO related processing, if I want the browser to settle on a certain page, how do I do that ? It is a matter of configuration somewhere on the SP side ? Or is it something I need to set in the original SLO request ? -----Original Message----- From: Pedro Igor Silva [mailto:psilva@redhat.com] Sent: Thursday, December 04, 2014 12:34 PM To: Adam Dong Cc: security-dev(a)lists.jboss.org Subject: Re: [security-dev] SP-initiated Single Log Out Hi Adam, You can use the LogOutUrl attribute in PicketLinkSP [1]. By default, the logout url is the same as specified in IdentityURL. PicketLink also picks the SingleLogoutService from idp descriptor, if you are using metadata. Regards. [1] https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration ----- Original Message ----- From: "Adam Dong" <adamdong(a)vidder.com&gt; To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; Cc: security-dev(a)lists.jboss.org Sent: Thursday, December 4, 2014 6:14:56 PM Subject: RE: [security-dev] SP-initiated Single Log Out Is the configuration in pinketlink.xml ? But picketlink.xml only has <IdentityURL> which is the SSO url, not SLO url, right ? -----Original Message----- From: Adam Dong Sent: Thursday, December 04, 2014 10:46 AM To: 'Pedro Igor Silva' Cc: security-dev(a)lists.jboss.org Subject: RE: [security-dev] SP-initiated Single Log Out Pedro, Thanks a lot for the reply. I should have mentioned I need to use front channel. A follow-up question: After I send ?GLO=true to my SP from a browser, ServiceProviderAuthenticator code would need to know IDP's SLO url to send SLO request, how to configure that (i.e., to let ServiceProviderAuthenticator to know IDP SLO url) ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva@redhat.com] Sent: Wednesday, December 03, 2014 5:03 PM To: Adam Dong Cc: security-dev(a)lists.jboss.org Subject: Re: [security-dev] SP-initiated Single Log Out Using front-channel SLO you need browser redirects. So you must send ?GLO=true to your SP from a browser. But, if you are using back-channel SLO, I think you can invoke the IdP once with a ?GLO=true (using some http library) and it will invoke each SP to invalidate the session for the user. In this case, you need to pass the JSESSIONID from IdP, so it can restore user session and know the participants (SPs). There is no API for that. ----- Original Message ----- From: "Adam Dong" <adamdong(a)vidder.com&gt; To: security-dev(a)lists.jboss.org Sent: Wednesday, December 3, 2014 10:26:37 PM Subject: [security-dev] SP-initiated Single Log Out Hi, If I'd like to, from SP-side. initiate the SLO (single log out) programmatically (suppose it is the code behind a GUI "Logout" button), how to do that (which class and which method to call) ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev