-
1. Re: Can PicketLink check if the IDP has invalidated the session (aka "kick a user"?)
jeanluc Nov 30, 2010 10:08 AM (in response to jeanluc)After more research, I see that SAML allows IDP-initiated logouts (which lead to a logout request sent from the IDP to the SP and the response in the opposite direction).
Is this possible with Picket Link?
-
2. Re: Can PicketLink check if the IDP has invalidated the session (aka "kick a user"?)
marcelkolsteren Nov 30, 2010 5:51 PM (in response to jeanluc)Yea, sure, this is supported. In fact, the PicketLink SP even doesn't know whether it was an IDP-initiated logout or a logout initiated by another SP which participated in the same session. In both cases, it handles the logout request.
More behind the hood of PicketLink: the SamlSingleLogoutReceiver not only has a processIDPResponse method (for handling the response to a logout initiated by PicketLink), but also a processIDPRequest method (for handling a logout request coming in from the IDP).
These days there was a forum discussion about this IDP-initiated single logout functionality:
-
3. Re: Can PicketLink check if the IDP has invalidated the session (aka "kick a user"?)
jeanluc Nov 30, 2010 5:45 PM (in response to marcelkolsteren)Great. Thanks. Is there any configuration needed to enable it or will it just be a regular SAML request-response between the IDP and the SDP?
-
4. Re: Can PicketLink check if the IDP has invalidated the session (aka "kick a user"?)
marcelkolsteren Nov 30, 2010 5:53 PM (in response to jeanluc)I was still editing my response when your answer to the previous version of my response was coming in. So please read the updated version for some more details.
Regarding your last question: no additional configuration is required.
-
5. Re: Can PicketLink check if the IDP has invalidated the session (aka "kick a user"?)
jeanluc Nov 30, 2010 5:55 PM (in response to marcelkolsteren)Perfect, thanks!