Skip to main content

Single Logout (SLO) VAM Deployment Guide

Note

This guide applies only to Identity Platform release 23.07 and earlier.

To enable this feature for Identity Platform release 24.04 or later, see How to configure Single Logout (SLO).

The Single Logout (SLO) Value-Added Module (VAM) provides the SecureAuth® Identity Platform (formerly SecureAuth IdP) with the ability to log out of several service providers using a single logout request, by using the same multisession token. Once you log out of one service provider, it sends a logout request to the Managed Logout page for that realm.

This VAM is added to the SecureAuth Identity Platform appliance using an installer that supplements the appliance with all necessary files and modifies the configurations accordingly.

Architecture

The Managed Logout page constructs a stack of frames for each of the service providers currently logged in with the same multisession token. It then creates an iframe for each of the service providers in the stack. Each of these iframes has a Restart page as the source URL. Each iframe clears out sessions, logs the user out of the SecureAuth realm, and sends a logout request to the corresponding service provider, as shown in the following image.

SLO_VAM_001.png

Installation guidelines

  1. Download the installer for the Single Logout VAM.

  2. Create the Identity Platform realms or know which realms are set up for single logout (SLO) functionality.

System prerequisites

  • SecureAuth Identity Platform version 9.0 or later.

  • Using the SecureAuth Identity Platform Web Admin, either create new realms for this process or identify those existing realms designated for single logout (SLO).

Installation

The following is a list of files provided by SecureAuth in the ShareFile link. Copy these files to the SecureAuth realm folder (D:\Secureauth\SecureAuthXX):

  • ../SecureAuthXX/AssertionConsumerService.aspx

  • ../SecureAuthXX/AssertionConsumerService.aspx.vb

  • ../SecureAuthXX/ManagedLogout.aspx

  • ../SecureAuthXX/ManagedLogout.aspx.vb

  • ../SecureAuthXX/Restart.aspx

  • ../SecureAuthXX/Restart.aspx.vb

  • ../SecureAuthXX/Authorized/SAML20IdPInit.aspx

  • ../SecureAuthXX/Authorized/SAML20IdPInit.aspx.vb

  • ../SecureAuthXX/Authorized/SAML20SPInit.aspx

  • ../SecureAuthXX/Authorized/SAML20SPInit.aspx.vb

  • ../SecureAuthXX/Authorized/WSFedProvider.aspx

  • ../SecureAuthXX/Authorized/WSFedProvider.aspx.vb

  • ../SecureAuthXX/Authorized/SAML20IdPInitACS.aspx

  • ../SecureAuthXX/Authorized/SAML20IdPInitACS.aspx.vb

  • ../SecureAuthXX/Authorized/SAML20LogoutService.aspx

  • ../SecureAuthXX/Authorized/SAML20LogoutService.aspx.vb

  • ../SecureAuthXX/Bin/SecureAuth.SingleLogout.dll.

  • ../SecureAuthXX/Bin/MFC.SAML20.dll

Configuration steps

In the web.config, add the following keys in the <appSetting> section for each SecureAuthXX realm.

<add key="SingleLogout" value="True" />
<add key="MultiSessionEnabled" value="True" />
<add key="SingleSessionEnabled" value="False" />
<add key="SSTokenName" value="SSToken" />
<add key="MSTokenName" value="MSToken" />
<add key="LogoutMethod" value="2" />
<add key="CaptureLogoutURL" value="True" />
<add key="LogoutUrl" value="https://URL" />
<add key="LogoutTokenExpiration" value="True" />
<add key="LogoutTokenExpirationTime" value="5" />
<add key="SignLogoutMessage" value="False" />

For more information about the keys, see the following table.

Key

Description

MultiSessionEnabled

Used if there are multiple service providers, otherwise considered SLO.

SingleSessionEnabled

Used if there is only one service provider application.

SSTokenName

This is an arbitrary value used for the name of the single-session cookie.

If multiple realms share the same SSTokenName, the last realm from which the user authenticates will be the only session from which the user logs out.

MSTokenName

This is an arbitrary value used for multisession cookie(s).

Multiple realms can use the same MSTokenName to chain together SLO. More than one MSTokenName can exist per appliance.

LogoutMethod

Directs the logout system to use a specific logout method (for example, SAML or WS-Federation) and how to use it (for example, HTTP-Redirect or POST).

The service provider (SP) dictates what is used. Options are:

  • Value="1": HTTP Redirect

  • Value="1": SAML Post

  • Value="2": SAML Redirect

  • Value="3": WS-Federation

CaptureLogoutURL

Used for WS-Federation or SAML to capture the reply or ACS/Logout URL value dynamically for the logout URL.

The SP must provide these values in the initial login request for this feature to work.

LogoutUrl

Used for a static URL if none is supplied by WS-Fed, or, for example, for SAML 2.0 systems.

This is provided by the service provider.

LogoutTokenExpiration

Use one of the following settings:

  • True – The logout token configured for the realm (multisession or single session) is set to expire at the given LogoutTokenExpirationTime.

  • False – The logout token expires with the user’s browser session.

LogoutTokenExpirationTime

The time (in minutes) after creation the logout token expires when LogoutTokenExpiration is set to True.

SignLogoutMessage

Directs the system to add a signature to the logout message.

Note

The Single Logout Configuration page only opens for realms to which the Single Logout module is installed.

Multi-session SLO works only with realms that do not have the HTTP Redirect option in the Logout Method field on the configuration page.

Upgrade information

Before upgrading SecureAuth software, open a Support ticket. The process of upgrading to a newer SecureAuth software version might cause the SecureAuth VAM to become invalid and stop working. When your site is ready to upgrade SecureAuth software, get started by creating a support ticket selecting I have a question or issue regarding SecureAuth Value-Added Modules (VAMs) from the "Submit a request" list. A SecureAuth Tailoring engineer will contact you to evaluate and ensure that the VAM will work with updated SecureAuth software.