Implement SSO and SLO
Within SAML 2.0 you can implement single sign-on (SSO) and single logout (SLO). SLO is the ability to terminate multiple login sessions by logging out of one central place.
There are two authentication initiations in which SSO can take place:
- SP-initiated SSO
-
The SP initiates the login request.
For example:
-
If a user navigates to the SP first, then the SP directs to the IdP for the login.
-
If the user already has a session on the IdP, then the IdP redirects the user back to the SP with a SAML assertion.
-
If the user doesn’t have a session, they enter their credentials. After a successful login, the user is redirected back to the SP with a SAML assertion.
-
The user is allowed access to the SP application.
-
- IdP-initiated_ SSO
-
The IdP initiates the login to the SP.
For example:
-
The user is already logged into the IdP and clicks an application (SP) to access the application.
-
The IdP sends a SAML assertion to the SP.
-
The user is allowed access to the SP application.
-
Integrated and standalone mode
Advanced Identity Cloud provides the following options for implementing SSO and SLO with SAML 2.0:
- Integrated mode
-
SSO in integrated mode uses a SAML2 authentication node on a service provider (SP), thereby integrating SAML 2.0 authentication into the Advanced Identity Cloud authentication process. The authentication node handles the SAML 2.0 protocol details for you.
Integrated mode supports SP-initiated SSO only because the authentication service that includes the SAML 2.0 node resides on the SP.
You can’t trigger IdP-initiated SSO in an integrated mode implementation.
Use integrated mode if you want to deploy SAML 2.0 SSO using the easiest technique.
- Standalone mode
-
Access servlet URLs to initiate SSO and SLO.
Use standalone mode for any of the following reasons:
-
You want to trigger SAML 2.0 IdP-initiated SSO.
-
You want to use the SAML 2.0 Enhanced Client or Proxy (ECP) single sign-on profile.
-
Your IdP and SP instances are using the same domain name, for example,
mydomain.net.Due to the way integrated mode tracks authentication status by using a cookie, it can’t be used when both the IdP and SP share a domain name.
-
The following table summarizes support for SSO and SLO in integrated and standalone mode.
| Mode | SSO | SLO |
|---|---|---|
Integrated mode |
SP-initiated SSO only (1) |
Not supported |
Standalone mode |
Supported |
Supported |
(1) Only supported if IdP and SP instances are using different domain names.