we are using ISAM as IDP and Splunk/tableau as the SP. we can SSO to Splunk and Tableau from a Portal protected by ISAM. is there any way we can logout the users out of SP when they logout from the portal.
How can we achieve this?

------------------------------
Venkat
------------------------------

Hi Venkat,

Access Manager supports the Single Logout (SLO) protocol for SAML 2.0 which is the "standard" way to provide what you're asking for.  However, this protocol isn't that widely adopted by SaaS providers.  I don't know if Splunk or Tableau support it.

If they *do* support it then you would need to update the portal so that when a user hits the "logout" button, it redirects to the SLO trigger URL for Access Manager.  If you know what the SLO endpoint is then the Access Manager trigger URL is:

HTTP(S)://<SLO Endpoint>initial[?RequestBinding=<Binding>] (where <Binding> is likely HTTPRedirect or HTTPPost)

If the Service Providers do not support SLO, you'd have to find some non-standard way to trigger logout on each system.  For example, you could have a page which loads the logout URL of each service in an iFrame.  You would make this page the logout page on the portal.

In my experience, Single Logout doesn't deliver on its promise because there are too many potential failure conditions which may or may not leave the user logged in at an SP.  In general it's better to request the user close their browser to securely end all sessions.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon June 24, 2019 01:34 PM
From: Venkat V
Subject: ISAM Single Logout

we are using ISAM as IDP and Splunk/tableau as the SP. we can SSO to Splunk and Tableau from a Portal protected by ISAM. is there any way we can logout the users out of SP when they logout from the portal.
How can we achieve this?

------------------------------
Venkat
------------------------------

Hi Jon,

how does closing the Browser kill Sessions on IdP or SP. It may clear cookies (depending on the browsers setup and given they aren't persistent) but the session should still be alive until it times out? Do I get something wrong?

thanks
Jens

------------------------------
Jens Petersen
------------------------------

Original Message:
Sent: Tue June 25, 2019 04:57 AM
From: Jon Harry
Subject: ISAM Single Logout

Hi Venkat,

Access Manager supports the Single Logout (SLO) protocol for SAML 2.0 which is the "standard" way to provide what you're asking for.  However, this protocol isn't that widely adopted by SaaS providers.  I don't know if Splunk or Tableau support it.

If they *do* support it then you would need to update the portal so that when a user hits the "logout" button, it redirects to the SLO trigger URL for Access Manager.  If you know what the SLO endpoint is then the Access Manager trigger URL is:

HTTP(S)://<SLO Endpoint>initial[?RequestBinding=<Binding>] (where <Binding> is likely HTTPRedirect or HTTPPost)

If the Service Providers do not support SLO, you'd have to find some non-standard way to trigger logout on each system.  For example, you could have a page which loads the logout URL of each service in an iFrame.  You would make this page the logout page on the portal.

In my experience, Single Logout doesn't deliver on its promise because there are too many potential failure conditions which may or may not leave the user logged in at an SP.  In general it's better to request the user close their browser to securely end all sessions.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon June 24, 2019 01:34 PM
From: Venkat V
Subject: ISAM Single Logout

we are using ISAM as IDP and Splunk/tableau as the SP. we can SSO to Splunk and Tableau from a Portal protected by ISAM. is there any way we can logout the users out of SP when they logout from the portal.
How can we achieve this?

------------------------------
Venkat
------------------------------

Jens,

You are correct; closing the browser doesn't not remove the session from the server side - it would be remain until it times out.  This is the same any time a user closes their browser without explicitly logging out.

There are downsides here: the session is still consuming resource on the server side and is remains vulnerable if an attacker has a stolen session cookie from somewhere.

My point was simply that this is about as good as it gets if proper Single Logout is not supported by the federation partners.

Perhaps I should have said: " In general it's a good idea to also request the user close their browser in addition to whatever single logout you choose to implement".

Jon.
​​

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed June 26, 2019 02:26 AM
From: Jens Petersen
Subject: ISAM Single Logout

Hi Jon,

how does closing the Browser kill Sessions on IdP or SP. It may clear cookies (depending on the browsers setup and given they aren't persistent) but the session should still be alive until it times out? Do I get something wrong?

thanks
Jens

------------------------------
Jens Petersen

Original Message:
Sent: Tue June 25, 2019 04:57 AM
From: Jon Harry
Subject: ISAM Single Logout

Hi Venkat,

Access Manager supports the Single Logout (SLO) protocol for SAML 2.0 which is the "standard" way to provide what you're asking for.  However, this protocol isn't that widely adopted by SaaS providers.  I don't know if Splunk or Tableau support it.

If they *do* support it then you would need to update the portal so that when a user hits the "logout" button, it redirects to the SLO trigger URL for Access Manager.  If you know what the SLO endpoint is then the Access Manager trigger URL is:

HTTP(S)://<SLO Endpoint>initial[?RequestBinding=<Binding>] (where <Binding> is likely HTTPRedirect or HTTPPost)

If the Service Providers do not support SLO, you'd have to find some non-standard way to trigger logout on each system.  For example, you could have a page which loads the logout URL of each service in an iFrame.  You would make this page the logout page on the portal.

In my experience, Single Logout doesn't deliver on its promise because there are too many potential failure conditions which may or may not leave the user logged in at an SP.  In general it's better to request the user close their browser to securely end all sessions.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon June 24, 2019 01:34 PM
From: Venkat V
Subject: ISAM Single Logout

we are using ISAM as IDP and Splunk/tableau as the SP. we can SSO to Splunk and Tableau from a Portal protected by ISAM. is there any way we can logout the users out of SP when they logout from the portal.
How can we achieve this?

------------------------------
Venkat
------------------------------