SLO functionality SAML2 integration

book

Article ID: 208336

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

We're running Federation Services and we'd like to know how if we can
implement in just one configuration the SLO for all the Federation
applications and OIDC and other protocols.

Is there a way to achieve this ?

 

Environment

 

Policy Server 12.8SP5 on RedHat 8

 

Resolution

 

At first glance, Session in Siteminder are maintained in SMSESSION
cookies, which will be set in the browser, and optionally, Session can
be maintained in a Session Store.

So for the same session, if the Session gets deleted in the Session
Store, then the SMSESSION cookie won't be usable.

As differents Federations will bring different sessions, so you do
need to configure SLO on each of them, and you may want to make sure
that the SMSESSION cookie gets deleted too.

For Federation :

  SSO and SLO Dialog (SAML 2.0 SP)

    To see the SLO settings, enable the session server from the Policy
    Server Management Console.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-sp.html

To remove the SMSESSION cookie :

  Comprehensive Log Out
  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/comprehensive-log-out.html#concept.dita_eeefd22588cc0982bab755d1427fe80a1f8a3281_ConfigureFullLogoff

Finally, on date of February the 11th 2021, accoding to the following
KD, there's no Logout funtionality for OIDC :

  If there is SLO enabled, and the SMSESSION user logs out - are the associated OIDC session entries also deleted? 
  https://knowledge.broadcom.com/external/article?articleId=196120

So, you can't set a unique SLO Federation configuration for all your
partnerships at 1 time.