Symantec Access Management

  • 1.  SAML2 SLO with multiple SPs

    Posted Aug 09, 2017 07:45 PM

    Hi,

     

    We are IDP and for each our user, may have access to multiple SP vendor apps via SAML2 assertion. My question is how to make sure all SP (eg. sp1, sp2, sp3) receive the saml2slo message and clear the SP user session.

     

    For saml2 slo, from CA document, it says for http redirect or post binding, it will send slo message to SP1 first, and wait for SP1 slo complete msg, and then send slo message to SP2, and wait for success msg, then send slo message to SP3.

     

    Does this mean that if SP2 didn't implement SLO properly or down, then SP3 will never get the slo message from my idp side?

     

    Is there a way (or best practice) that we can trigger the slo message to all the SPs? (I know soap binding with back channel can do this, but this will require all SP implement soap binding right? )



  • 2.  Re: SAML2 SLO with multiple SPs
    Best Answer

    Posted Sep 10, 2017 11:52 PM

    Hi, you are correct that all your federation partners must implement SLO feature.

    It does not necessarily need to be all same method of SLO.

    SP1 can use HTTP redirect and SP2 can use SOAP.

    As long as they all have SLO implemented, the SLO will be performed successfully.

     

    You can take a look at a sample below.

    Federation Starters 9