4 Replies Latest reply on Oct 15, 2013 9:43 AM by Stan Silvert

    Global Logout "up to 5 participants"?

    Stan Silvert Master

      I'm just getting started with PicketLink and reading through the doco at http://docs.jboss.org/picketlink/2/latest/reference/pdf/picketlink-reference-guide.pdf

       

      In section 10.5.8 Single Logout, it says:

      Even though the SAML v2.0 specification has support for Global Logout, you have to use it very

      very wisely. Just remember that you need to keep the participants to a low number (say upto 5

      participants with one IDP).

      What is a "participant"?  I don't find this term defined anywhere else.

       

      Also, can someone elaborate on why you need to keep the number of participants low?

       

      Thanks,

       

      Stan

       

      P.S. Great docs overall !!

        • 1. Re: Global Logout "up to 5 participants"?
          Anil Saldanha Master

          The participant in a non technical world would be SAML Service Provider from the technical world.  Any web app that uses an IDP would be a participant.

          1 of 1 people found this helpful
          • 2. Re: Global Logout "up to 5 participants"?
            Stan Silvert Master

            Anil Saldhana wrote:

             

            The participant in a non technical world would be SAML Service Provider from the technical world.  Any web app that uses an IDP would be a participant.

            Got it.  So (participant == SAML SP)

             

            What problems will I run into if I have global logout using 10 participants with one IDP?

             

            I'm looking for some insight into how global logout works.

             

            Stan

            • 3. Re: Global Logout "up to 5 participants"?
              Anil Saldanha Master

              Stan Silvert wrote:

               

              Anil Saldhana wrote:

               

              The participant in a non technical world would be SAML Service Provider from the technical world.  Any web app that uses an IDP would be a participant.

              Got it.  So (participant == SAML SP)

               

              What problems will I run into if I have global logout using 10 participants with one IDP?

               

              I'm looking for some insight into how global logout works.

               

              Stan

              There is always the browser involved.  Assume the user has accessed 10 apps and all of them have used the IDP for authentication.  Now the user initiates a SAML global logout by clicking a button/link, then there is a workflow happening where the IDP will perform a log out at each of the SP before it chucks the IDP session.  Remember the SP may have established its own session for the user. The logout request from IDP gives an opportunity for the SP to logout the user and reply success/fail to the IDP via logoutresponse. Once the logout has been successful at all SP, the IDP will send a successful response back to the initiating SP and the SP can log the user out. GLO is a feature that makes me quite nervous (even though it is quite handy).  Some open source projects such as Shibboleth do not support GLO.

               

              Given the complexity of the GLO workflow and different implementations of SP, it is not a 100% guaranteed process.  So it is better to keep the number of participants low. I don't think 10 will be an issue. But I don't have the perfect number.  As low as you can go.

               

              It is also possible that one or more SP may not be supporting global logout. Then the workflow is not clearly defined by the specs.

              • 4. Re: Global Logout "up to 5 participants"?
                Stan Silvert Master

                Thanks Anil.  That's very helpful.

                 

                Stan