Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

More documents

Recommendations

Info

Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.01667166816691670167116721673167416751676167716781679[RFC2616] indicates a client should detect infinite redirection loops because such loops generate networktraffic for each redirection. This requirement was introduced because previous versions of the specificationrecommended a maximum of five redirections. Content developers should be aware that some clients mightimplement such a fixed limitation.3.5.1.1.1.1. Step 1: Accessing the Single Logout Service at the Identity ProviderIn step 1, the user agent accesses the single logout service URL at the identity provider indicating that all serviceproviders for which this identity provider has provided authentication assertions during the Principal’s current sessionmust be notified of session termination.3.5.1.1.1.2. Step 2: Redirecting to the Single Logout Service at the Service ProviderIn step 2, the identity provider’s single logout service responds and redirects the user agent to the single logout serviceURL at each service provider for which the identity provider has provided an authentication assertion during thePrincipal’s current session with the identity provider.The redirections MUST adhere to the following rules:168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703• The Location HTTP header MUST be set to the service provider’s single logout service URL.• The service provider’s single logout service URL MUST specify https as the URL scheme; if another scheme isspecified, the identity provider MUST NOT redirect to the service provider.• The Location HTTP header MUST include a component containing the protocol message as defined in [LibertyProtSchema] with formatting as specified in 3.1.2.The HTTP response MUST take the following form: 302 Location : https://?where:This element provides the host name, port number, and path components of the single logout service URL at theservice provider.= ......The MUST contain a single logout request.3.5.1.1.1.3. Step 3: Accessing the Service Provider Single Logout ServiceIn step 3, the user agent accesses the service provider’s single logout service URL with the information attached to the URL fulfilling the redirect request.3.5.1.1.1.4. Step 4: Processing the RequestIn step 4, the service provider MUST process the according to the rules defined in[LibertyProtSchema].Liberty Alliance Project48
Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.0170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736The service provider MUST invalidate the session(s) of the Principal referred to in the name identifier it received fromthe identity provider in the .3.5.1.1.1.5. Step 5: Redirecting to the Identity Provider Return URLIn step 5, the service provider’s single logout service responds and redirects the user agent back to the identity providerusing the return URL location obtained from the SingleLogoutServiceReturnURL metadata element. If the URLencoded message received in step 3 contains a parameter named RelayState, then the serviceprovider MUST include a component containing the same RelayState parameter and its value in its responseto the identity provider.The purpose of this redirect is to return the user agent to the identity provider so that the single logout process maycontinue in the same fashion with other service providers.The HTTP response MUST take the following form: 302 Location : https://?where:This element provides the host name, port number, and path components of the return URL at the identity provider.= ...The component MUST contain a single logout response. The MUSTcontain the identical RelayState parameter and its value that was received in the URL-encoded logout request messageobtained in step 3. If no RelayState parameter was provided in the step 3 message, then a RelayState parameter MUSTNOT be specified in the .3.5.1.1.1.6. Step 6: Accessing the Identity Provider Return URLIn step 6, the user agent accesses the identity provider’s return URL location fulfilling the redirect request.3.5.1.1.1.7. Step 7: ConfirmationIn step 7, the user agent is sent an HTTP response that confirms the requested action of a single logout has beencompleted.3.5.1.1.2. HTTP-GET ImplementationThe HTTP-GET implementation uses HTTP GET requests to communicate logout requests to each service providerfor which the identity provider has provided authentication during the Principal’s current session if the service providerindicated a preference to receive logout requests via the HTTP based profile. See Figure 13.Liberty Alliance Project49
Page 1 and 2: Liberty Alliance Project:Version: 1
Page 3 and 4: Liberty Alliance Project:Liberty ID
Page 33: Liberty Alliance Project:Liberty ID
Page 70: Liberty Alliance Project:Liberty ID

Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

Create successful ePaper yourself

Delete template?

Save as template?