Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

More documents

Recommendations

Info

Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.01797179817991800180118021803180418053.5.1.2. SOAP/HTTP-Based ProfileThe SOAP/HTTP-based profile uses SOAP over HTTP messaging to communicate a logout request to each serviceprovider for which the identity provider has provided authentication assertions during the Principal’s current session ifthe service provider indicated a preference to receive logout request via the SOAP/HTTP-based profile. See Figure 14.The following URI-based identifier MUST be used when referencing this specific profile:URI: http://projectliberty.org/profiles/slo-idp-soapThis URI identifier MUST be specified in the service provider metadata element SingleLogoutProtocolProfile whenthe service provider intends to indicate to the identity provider a preference for receiving logout requests via SOAPover HTTP.User AgentService ProviderIdentity Provider1. HTTP Request()2. SOAP POST: ()3. ProcessRequest4: SOAP 200 OK ()5: 200 OK: ()18061807Figure 14. SOAP/HTTP-based profile for single logout initiated at identity provider180818091810181118121813181418151816181718181819182018211822182318241825Note:Steps 2 through 4 may be an iterative process for each service provider that has been issued authenticationassertions during the Principal’s current session and has indicated a preference to receive logout requests viathe SOAP/HTTP message profile.3.5.1.2.1. Step 1: Accessing the Single Logout ServiceIn step 1, the user agent accesses the single logout service URL at the identity provider via an HTTP request.3.5.1.2.2. Step 2: Logout RequestIn step 2, the identity provider sends a SOAP over HTTP request to the SOAP endpoint of each service providerfor which it provided authentication assertions during the Principal’s current session. The SOAP message MUSTcontain exactly one element in the SOAP body and adhere to the construction rules definedin [LibertyProtSchema].If a SOAP fault occurs, the identity provider SHOULD employ best efforts to resolve the fault condition and resendthe single logout request to the service provider.3.5.1.2.3. Step 3: Processing the Logout RequestIn step 3, the service provider MUST process the according to the rules defined in[LibertyProtSchema].The service provider MUST invalidate the session for the Principal specified by the name identifier provided by theidentity provider in the .Liberty Alliance Project52
Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.018261827182818291830183118321833183418351836183718381839184018413.5.1.2.4. Step 4: Responding to the RequestIn step 4, the service provider MUST respond to the with a SOAP 200 OK message.3.5.1.2.5. Step 5: ConfirmationIn step 5, the user agent is sent an HTTP response that confirms the requested action of single logout has completed.3.5.2. Single Logout Initiated at Service ProviderThe profiles in Section 3.5.2.1 and Section 3.5.2.2 are specific to the Principal’ initiation of the single logout requestprocess at the service provider.3.5.2.1. HTTP-Based ProfileThe HTTP-based profile relies on using an HTTP 302 redirect to communicate a logout request with the identityprovider. The identity provider will then communicate a logout request to each service provider with which it hasestablished a session for the Principal using the service provider’ preferred profile for logout request from the identityprovider (see Section 3.5.1). See Figure 15.The following URI-based identifier MUST be used when referencing this specific profile:URI: http://projectliberty.org/profiles/slo-sp-httpThis URI identifier is intended for service provider consumption and is not needed in provider metadata.User AgentService ProviderIdentity Provider1. HTTP Request()2. 302; Location: ?()3. GET: ?5. 302; Location: ?()4. ProcessRequest6. GET: ?()7: 200 OK: ()18421843Figure 15. HTTP-redirect-based profile for single logout initiated at service provider1844184518461847184818491850Note:Step 4 may involve an iterative process by the identity provider to implement the preferred profile for logoutrequests for each service provider that has been issued authentication assertions during the Principal’s currentsession.3.5.2.1.1. Step 1: Accessing the Single Logout Service at the Service ProviderIn step 1, the user agent accesses the single logout service URL at the service provider indicating that session logoutis desired at the associated identity provider and all service providers for which this identity provider has providedLiberty Alliance Project53
Page 1 and 2: Liberty Alliance Project:Version: 1
Page 3 and 4: Liberty Alliance Project:Liberty ID
Page 33: Liberty Alliance Project:Liberty ID
Page 70: Liberty Alliance Project:Liberty ID

Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?