The WebSphere® Application Server SAML Trust Association
Interceptor (TAI) does not support the Single Logout (SLO) Profile. With SAML SLO, a
LogoutRequest
is sent to the IdP, therefore SLO cannot be accomplished by using a
simple redirect. However, although the SAML TAI does not support SLO, you can configure the SAML TAI
with a logout URL. When an HTTPServletRequest.logout
method is invoked from an
endpoint that is protected by the TAI, the HTTP request is redirected to this URL after the
WebSphere Application Server logout is complete. This allows you to redirect a user to a custom
logout page.
Before you begin
This task assumes that you enabled your system to use the SAML web SSO feature. If you did not
enable this feature, see Enabling your system to use the SAML web single sign-on (SSO)
feature.
About this task
The following procedure explains the steps to enable SAML web SSO programmatic logout. It shows
how to add a logout method to your application and how to configure the SAML TAI with a logout URL.
You can use this process to redirect to a page that logs the user out from the Identity
Provider.
Procedure
-
Develop or identify a URL to which you want the SAML web SSO TAI to redirect when a logout
request is received.
- Develop a logout endpoint to include with your application that is protected by the
TAI.
Include code in your application that is similar to the following example to create
an endpoint that is protected by the TAI:
import java.io.IOException;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class SAMLLogoutServlet extends HttpServlet implements Servlet {
public LogoutServlet() {
super();
}
protected void doGet(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {
doPost(arg0,arg1);
}
protected void doPost(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {
req.logout();
}
}
- Configure the SAML web SSO TAI to redirect to the logout URL from step one when a logout
request is received from a protected URL.
- Log in to the WebSphere Application Server administrative
console.
- Click .
- Expand Web and SIP security.
- Click .
- Click
com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
- Under Custom properties, click new.
Complete the following custom property information. In the
Name
value, replace
<id>
with the value that you assigned to the SSO Service Provider
(SP) for which you want this property to apply:
- Name:
sso_<id>.sp.logoutUrl
- Value: The logout URL that you identified in step one
- Ensure that the value for the
sso_<id>.sp.filter
property
intercepts the URL on the WebSphere server that invokes the
HTTPServletRequest.logout()
method.