Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

More documents

Recommendations

Info

Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.016061607160816091610161116121613161416151616161716181619162016211622162316241625This URI identifier is really only meant for service provider consumption and as such is not needed in any providermetadata.3.4.2.2. SOAP/HTTP-Based ProfileThe SOAP/HTTP-based profile relies on using asynchronous SOAP over HTTP to communicate federation terminationnotification messages from the service provider to the identity provider. For a discussion of the interactions andprocessing steps, refer to 3.4.1.2. When reviewing that profile, interchange all references to service provider andidentity provider in the interaction diagram and processing steps.The following URI-based identifier MUST be used when referencing this specific profile:URI: http://projectliberty.org/profiles/fedterm-sp-soapThis URI identifier is really only meant for service provider consumption and as such is not needed in any providermetadata.3.5. Single Logout ProfilesThe single logout profiles synchronize session logout functionality across all sessions that were authenticated by aparticular identity provider. The single logout can be initiated at either the identity provider or the service provider.In either case, the identity provider will then communicate a logout request to each service provider with which ithas established a session for the Principal. The negotiation of which single logout profile the identity provider usesto communicate with each service provider is based upon the SingleLogoutProtocolProfile provider metadata elementdefined in [LibertyProtSchema].The available profiles are defined in Section 3.5.1 and Section 3.5.2, depending on whether the single logout is initiatedat the identity provider or service provider:1626• Single Logout Initiated at Identity Provider1627162816291630• HTTP-Based: Relies on using either HTTP 302 redirects or HTTP GET requests to communicate logoutrequests from an identity provider to the service providers.• SOAP/HTTP-Based: Relies on SOAP over HTTP messaging to communicate logout requests from an identityprovider to the service providers.1631• Single Logout Initiated at Service Provider16321633163416351636• HTTP-Redirect-Based: Relies on an HTTP 302 redirect to communicate a logout request with the identityprovider.• SOAP/HTTP-Based: Relies on SOAP over HTTP messaging to communicate a logout request from a serviceprovider to an identity provider.The single logout profiles make use of the following metadata elements, as defined in [LibertyMetadata]:16371638• SingleLogoutServiceURL — The URL at the service provider or identity provider to which single logoutrequests are sent. It is described in these profiles as "single logout service URL."Liberty Alliance Project46
Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.0163916401641164216431644• SingleLogoutServiceReturnURL— The URL used by the service provider when redirecting the user agent tothe identity provider at the end of the single logout profile process.• SingleLogoutProtocolProfile — Used by the identity provider to determine which single logout requestprofile MUST be used when communicating with the service provider.• SOAPEndpoint — The SOAP endpoint location at the service provider or identity provider to which LibertySOAP messages are sent.16451646164716481649165016511652165316541655165616571658165916603.5.1. Single Logout Initiated at Identity ProviderThe profiles in 3.5.1.1 through 3.5.1.2 are specific to a single logout when initiated by a user agent at the identityprovider.3.5.1.1. HTTP-Based ProfileThe HTTP-based profile defines two possible implementations that an identity provider may use. The firstimplementation relies on using HTTP 302 redirects, while the second uses HTTP GET requests. The choice ofimplementation is entirely dependent upon the type of user experience the identity provider provides.The following URI-based identifier MUST be used when referencing either implementation for this specific profile:URI: http://projectliberty.org/profiles/slo-idp-httpThis URI identifier MUST be specified in the service provider metadata element SingleLogoutProtocolProfile whenthe service provider intends to indicate to the identity provider a preference for receiving logout requests via either anHTTP redirect or an HTTP GET.3.5.1.1.1. HTTP-Redirect ImplementationThe HTTP-Redirect implementation uses HTTP 302 redirects to communicate a logout request to each service providerfor which the identity provider has provided authentication assertions during the Principal’s current session if theservice provider indicated a preference to receive logout requests via the HTTP based profile. See Figure 12.User AgentService ProviderIdentity Provider1. GET ()2. 302; Location: ?()3. GET: ?5. 302; Location: ?()4. ProcessRequest6. GET: ?()7: 200 OK: ()16611662Figure 12. HTTP-Redirect implementation for single logout initiated at identity provider1663166416651666Notes:Steps 2 through 6 may be an iterative process for requesting logouts by each service provider that has beenissued authentication assertions during the Principal’s current session and has indicated a preference to receivelogout requests via the HTTP based profile.Liberty Alliance Project47
Page 1 and 2: Liberty Alliance Project:Version: 1
Page 3 and 4: Liberty Alliance Project:Liberty ID
Page 33: Liberty Alliance Project:Liberty ID
Page 70: Liberty Alliance Project:Liberty ID

Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

Create successful ePaper yourself

Delete template?

Save as template?