This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Fritz Nonponeplopoopsi
Oct 25, 2016, 4:18 PM
3 Posts

Response from IBm

  • Category: Domino Server
  • Platform: All Platforms
  • Release: 9.0.1
  • Role: Administrator,Developer
  • Tags: saml,logout,authenticaion
  • Replies: 4

Thanks so much for your response.  I received the following email from IBM after opening a ticket with them.

 

Unfortunately, Domino does not currently implement a SAML 2.0 single logout feature. The logout of a session is configured in the identity provider side and it is configured in the idp catalog database.

Configuring the Single logout URL means that users are logged out of the identity provider side when they log out of IBM Domino
This is a known SAML configuration limitation that is planned to be addressed in an upcoming release but there is no exact timeline for it.

I have subscribed this PMR to SPR # XHXH994598 - Enhancement request for Domino to have a logout feature when using SAML authentication.

~Tanita Desweverobu
Oct 25, 2016, 5:55 PM
94 Posts
You can simulate that in your code easily enough
Just make the logout button in your application redirect the end user's browser to the IdP's logout URL after logging them out of your application. The drawback to this angle is that if the IdP serves multiple applications, the end users might be annoyed that they now need to retype their password to get into, say, the expense reimbursement system.  In this model, you need a shift in mind set -- logging out of an individual application is meaningless, you need to log out of the IdP directly, kill your browser window, or lock your workstation in order to protect your system.

Another approach that some folks use is to configure their IdP to not generate session cookies and require the end user to log in each time. This provides a central point of authentication, but still requires the end user to type and retype their username and password again and again and again. Some people consider this to be a good thing.

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal