Versions Compared

Old Version 15

changes.mady.by.user Parker Neff

Saved on

compared with

New Version 16

changes.mady.by.user Chris Franz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The user clicks logout in the Service provider (i.e Common Assessment).  Since all CCC Services use Spring Security SAML (CWF - Is this a valid assumption?), logging out in Spring Security will terminate both the SSO and application session.  When logout is complete, the user will be directed to the new logout page in the SSO proxy.

...

When the user lands on the SSO proxy page, a services series of embedded iframes will make rest IFRAME requests makes REST call redirects to all known service provider endpoints.  If the user is not actually logged into to an endpoint, the request will be ignored.  

In a future enhancement, the proxy could keep track of of Service providers the user has logged into, but this will required a longer SSO Session time in the proxy which could have a negative impact on proxy performance and cost do to the cost of caching session data for longer period of time(CWF - The number of service providers is growing quickly, especially with the addition of Canvas and Hobsons SPs.  I think the cost of caching these would be minimal compared to the downside of not doing so.)

Service Provider terminates SSO and Application session

When the service provider receives the logout request the application session and SSO session will be terminated.  Since all CCC Applications will be using Spring Security SAMLSAML (CWF - Is this a valid assumption?) , both SSO and application session termination will be handled by Spring Security SAML

SSO Proxy redirects via IFRAME to proprietary Identity Provider logout endpoint

.

After the IFRAME requests to the Service Provider Logout endpoints endpointsm another IFRAME request will be issued to the proprietary logout endpoint of the IDP that initially authenticated the user (authsource).

SSO Proxy displays message to user to close the browser.

Because the SP and IDP logout request are made in embedded IFRAMES it , the logout process will not be visible to the user. What is rededered rendered is a message to the user to close there browser to ensure that they are fully logged out. (Actual text to follow)

...

  • The application containing the logout link (and SSO session if separate) terminating.
  • All other Technology center applications  (and SSO session if separate) terminating.
  • The IDP (and Proxy?) session terminating.
  • A final page instructing the user to close the browser.

...

  • The application containing the logout link (and SSO session if separate) terminating.
  • The IDP (and Proxy?) session terminating.
  • A final page instructing the user to close the browser.

...