Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.0User AgentService ProviderIdentity Provider1. HTTP Request()2. 302; Location: ? () 3. GET: ? 5. 302; Location: ()4. ProcessRequest6. GET: ()7: 200 OK: ()148314841485Figure 10. HTTP-redirect-based profile for federation terminationThis profile description assumes the following preconditions:148614871488• The Principal’s identity at the service provider is federated with his/her identity at the identity provider.• The Principal has requested to the identity provider that the federation be terminated.• The Principal has authenticated with the identity provider.148914901491149214931494149514963.4.1.1.1. Step 1: Accessing the Federation Termination ServiceIn step 1, the user agent accesses the identity federation termination service URL at the identity provider specifyingthe service provider with which identity federation termination should occur. How the service provider is specified isimplementation-dependent and, as such, is out of the scope of this specification.3.4.1.1.2. Step 2: Redirecting to the Service ProviderIn step 2, the identity provider’s federation termination service URL responds and redirects the user agent to thefederation termination service at the service provider.The redirection MUST adhere to the following rules:149714981499150015011502• The Location HTTP header MUST be set to the service provider’s federation termination service URL.• The service provider’s federation termination service URL MUST specify https as the URL scheme; if anotherscheme is specified, the identity provider MUST NOT redirect to the service provider.• The Location HTTP header MUST include a component containing the protocol message as defined in [LibertyProtSchema] withformatting as specified in Section 3.1.2.Liberty Alliance Project42