Menu
▾
▴
Re: [Unity-idm-discuss] configure SLO
|
From: Krzysztof B. <kb...@un...> - 2021-12-01 14:53:18
|
Hi Sander, W dniu 01.12.2021 o 11:08, Sander Apweiler pisze: > Hi Krzysztof, > in past we did not support/use SLO due most user did not want to logged > out on all services if the logout from one. This opinion is changing > especially on the user who are the managers. > > We did not change any attributes from the default unity config. Can you > give us a hint which attributes must be configured to perform SLO? Of > course we must configure the SLO endpoints of the accepted SPs. The SLO > endpoints from the upstream IdPs should be fetched from the metadata > file, if they are provided within. Is this assumption correct? > Beside of this, do we only need to configure > - unity.saml.requester.sloPath=/SLO-WEB > - unity.saml.requester.sloRealm=defaultRealm > > I guess unityServer.core.logoutMode is only for clicking on the logout > button on unity. But also here we recognized using the default value > internalAndSyncPeers doesn't you logout from the IdP. But maybe this is > also not working because we did not enable SLO. that's hard question, as you have a proxy. And SLO may mean many things in case of proxy. So first the global parameter: it rules what happens when there is any logout in unity. It can be triggered in one of unity's UIs (e.g. home) or via API (currently only SAML endpoint offers that). So it can be no-SLO (just kill local session) or SLO (kill local session and trigger logouts of all peers that support SLO - again only supported for SAML). So everything more that you need to configure are proper endpoints of SAML-SPs (that you want to logout from unity) of Unity IdP (so that SAML SPs relying on Unity can request logout) and of external IdPs (so that unity can logout upstream IdPs). You can enable this little by little and test - what I strongly suggest. Also pay attention to your configuration of realms - SLO never crosses realm's boundary. This is still pretty valid, although not mentioning configuration via Console UI: https://www.unity-idm.eu/documentation/unity-1.9.0/saml-howto.html#_using_single_logout_slo Best, Krzysztof |
