Implement SSO and SLO
AM provides two options for implementing SSO and SLO with SAML v2.0:
- Integrated mode
-
Integrated mode single sign-on and single logout uses a SAML2 authentication node on a service provider (SP), thereby integrating SAML v2.0 authentication into the AM authentication process. The authentication node handles the SAML v2.0 protocol details for you.
Integrated mode supports SP-initiated single sign-on only because the authentication service that includes the SAML v2.0 node resides on the SP. You can’t trigger IdP-initiated single sign-on in an integrated mode implementation.
Integrated mode doesn’t support SLO.
- Standalone mode
-
Standalone mode requires that you invoke JSPs pages to initiate single sign-on and SLO.
|
You can also configure web and Java agents to work alongside AM when performing SSO and SLO. Find out more in Web or Java agents SSO and SLO. |
The following table provides information to help you decide whether to implement integrated mode or standalone mode for your AM SAML v2.0 deployment:
| Deployment task or requirement | Implementation mode |
|---|---|
You want to deploy SAML v2.0 single sign-on and single logout using the easiest technique. |
Use integrated mode. |
You want to trigger SAML v2.0 IdP-initiated SSO. |
Use standalone mode. |
You want to use the SAML v2.0 Enhanced Client or Proxy (ECP) single sign-on profile. |
Use standalone mode. |
Your IdP and SP instances are using the same domain name; for example, |
Use standalone mode. |
(1) Due to the way integrated mode tracks authentication status by using a cookie, it can’t be used when both the IdP and SP share a domain name.