[8.5.5.16 or later]

Enabling SAML web single sign-on (SSO) programmatic logout

The WebSphere® Application Server SAML Trust Association Interceptor (TAI) does not support the Single Logout (SLO) Profile. With SAML SLO, a LogoutRequest is sent to the IdP, therefore SLO cannot be accomplished by using a simple redirect. However, although the SAML TAI does not support SLO, you can configure the SAML TAI with a logout URL. When an HTTPServletRequest.logout method is invoked from an endpoint that is protected by the TAI, the HTTP request is redirected to this URL after the WebSphere Application Server logout is complete. This allows you to redirect a user to a custom logout page.

Before you begin

This task assumes that you enabled your system to use the SAML web SSO feature. If you did not enable this feature, see Enabling your system to use the SAML web single sign-on (SSO) feature.

About this task

The following procedure explains the steps to enable SAML web SSO programmatic logout. It shows how to add a logout method to your application and how to configure the SAML TAI with a logout URL. You can use this process to redirect to a page that logs the user out from the Identity Provider.

Procedure

  1. Develop or identify a URL to which you want the SAML web SSO TAI to redirect when a logout request is received.
  2. Develop a logout endpoint to include with your application that is protected by the TAI.
    Include code in your application that is similar to the following example to create an endpoint that is protected by the TAI:
    import java.io.IOException;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class SAMLLogoutServlet extends HttpServlet implements Servlet {
        public LogoutServlet() {
                super();
        }

        protected void doGet(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {
                doPost(arg0,arg1);
        }
        protected void doPost(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {
req.logout();
  }
}
  3. Configure the SAML web SSO TAI to redirect to the logout URL from step one when a logout request is received from a protected URL.
    1. Log in to the WebSphere Application Server administrative console.
    2. Click Security > Global security.
    3. Expand Web and SIP security.
    4. Click Trust association > Interceptors.
    5. Click com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
    6. Under Custom properties, click new.
      Complete the following custom property information. In the Name value, replace <id> with the value that you assigned to the SSO Service Provider (SP) for which you want this property to apply:
      • Name: sso_<id>.sp.logoutUrl
      • Value: The logout URL that you identified in step one
    7. Ensure that the value for the sso_<id>.sp.filter property intercepts the URL on the WebSphere server that invokes the HTTPServletRequest.logout() method.