Versions Compared

Old Version 13

changes.mady.by.user Parker Neff

Saved on

compared with

New Version 14

changes.mady.by.user Parker Neff

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Lucidchart
autoSize1
macroId4066d2f8-2793-402e-94f5-1c4e8a9fafe3
pageCount1
instanceIdConfluence:9818787720
pages
width700
documentIda4ac769e-b638-4bf5-ba2c-02201ed82115
alignleft
typerich
updated1491932132699
height500


Logout Flow

User Clicks Logout

...

The user clicks logout in the Service provider (i.e Common Assessment).  Since all CCC Services use Spring Security SAML, logging out in Spring Security will terminate both the SSO and application session.  When logout is complete, the user will be directed to the new logout page in the SSO proxy.

User lands on SSO proxy after Service Provider Logout

Call Logout endpoints for all known service providers

When the user lands on the SSO proxy page, a services of embedded iframes will make rest call redirects to all known service provider endpoints.  If the user is not actually logged into to an endpoint, the request will be ignored.  

In a future enhancement, the proxy could keep track of of Service providers the user has logged into, but this will required a longer SSO Session time in the proxy which could have a negative impact on proxy performance and cost do to the cost of caching session data for longer period of time.

Service Provider terminates SSO and Application session

When the service provider receives the logout request the application session and SSO session will be terminated.  Since all CCC Applications will be using Spring Security SAML, both SSO and application session termination will be handled by Spring Security SAML

SSO Proxy redirects via IFRAME to proprietary Identity Provider logout endpoint

After the IFRAME requests to the Service Provider Logout endpoints another IFRAME request will be to the proprietary logout endpoint of the IDP that initially authenticated the user.

SSO Proxy displays message to user to close the browser.

Because the SP and IDP logout request are made in embedded IFRAMES it the logout process will not be visible to the user. What is rededered is a message to the user to close there browser to ensure that they are fully logged out. (Actual text to follow)



  1.  

In a non-federated suite of applications where the applications and authentication mechanism is controlled by a single institution,  logout is a simple requirement to implement. 

...