Front-Channel Single Logout Deployment Profile

Submitted by Andreas Åkre Solberg [1] on 9 July, 2009 - 10:10

A SAML 2.0 Single Logout Deployment Profile for front-channel message exchange.

This deployment profile of SAML 2.0 Single Logout defines a minimal set of requirements that entities need to support in order to be interoperable using Single Logout.

$Id: frontchannelslo.txt 64 2009-07-09 09:14:20Z andreas $

1 Requirements notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.

2 Introduction

This deployment profile of SAML 2.0 Single Logout defines a minimal set of requirements that entities need to support in order to be interoperable. The goals of this profile include:

Easy implementation that can be based on available SAML libraries.
Good support in current available SAML 2.0 software implementations
Minimal effort required to configure entities to support this profile from a default installation.
Increased interoperability between SAML 2.0 implementations and deployment environments, thanks to a very limited set of required options.

The scope of this specification is a SAML 2.0 deployment profile, "Single Logout Profile", that limits the options available in SAML 2.0 Single Logout to increase interoperability between deployments.

2.2 References to SAML 2.0 specification

When referring to elements from the SAML 2.0 core specification saml2-core, the following syntax is used:

<samlp:Protocolelement> - for elements from the SAML 2.0 Protocol namespace.

This profile is a normative deployment profile for the SAML 2.0 Single Logout Profile (urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser), as specified in saml2-profiles. Text from saml2-profiles, saml2-core and saml2-bindings is background material, and is not repeated in this document.

2.3 References to other SAML 2.0 deployment profiles

All entities supporting this profile MUST provide SAML 2.0 Metadata following the Interoperable SAML 2.0 Metadata Profile saml2-metadata-profile specification.

All entities supporting this profile MUST also support the Interoperable SAML 2.0 WebSSO Deployment Profile saml2-interoperable-profile.

3 Single Logout Profile

This deployment profile of SAML 2.0 Single Logout (SLO) defines a set of requirements that entities need to support in order to be interoperable with other entities.

All entities following this profile MUST support SAML 2.0 Single Logout both initiated from the entity itself and intiated from other entities.

3.1 The Service Provider

The Service Provider MUST support initiating Single Logout from the service. An visible logout link MUST be available to users of the service.

The Service Provider MUST also be able to handle incomming LogoutRequest-s from the Identity Provider, when Single Logout is initiated from other entities.

If the Service Provider receives a LogoutRequest with IsPassive="True" it MUST be able to terminate the session without interacting with the user.

3.2 The Identity Provider

The Identity Provider MUST be able to handle Single Logout initiated by any of the connected Service Providers.

The Identity Provider MAY NOT support handling a LogoutRequest with IsPassive="True", and if not, it MUST return a SAML Error with an approriate status code.

3.3 The LogoutRequest

The <samlp:LogoutRequest> issued by a requester MUST be sent to the responder using the HTTP-REDIRECT binding.

The requester SHOULD NOT sign the <samlp:LogoutRequest>.

The responder MUST verify that the Subject referred to in the LogoutRequest is the same as the user holding the active session with the browser (probably using a Cookie for session lookup).

Andreas Åkre Solberg, UNINETT, andreas.solberg@uninett.no