1

We are currently creating a SimpleSAMLPHP based SSO/SLO implementation for an existing application based on CakePHP to connect to an Identity provided and authenticate users with accounts on the identity provider. The existing users in the application will still authenticate with their local credentials and the application will keep its session management for authentication.

I need to therefore implement an application specific SLO Soap service which logs the users out of the application, if the user logs out from another application using the same identity provider.

My question: Is it possible to change the SingleLogoutService in the generated metadata to point to an application specific soap service, which in turn logs the user out from both the service provider and the application.

Awemo
  • 875
  • 1
  • 12
  • 25

1 Answers1

0

We finally decided to use a different solution for the problem. The SingleLogoutService which is provided automatically by SimpleSAMLPHP is responsible for deleting the SingleSignOn Session when the user is logged out from the Identity provider. The application then checks SimpleSAMLPHP's session when the user attempts to access a protected resource and logs the user out if the user is no more authenticated with the Identity Provider.

Awemo
  • 875
  • 1
  • 12
  • 25
  • This results in an additional request whenever a page is opened in the protected app if I understood it correctly. I am having the same problem right now and would like to avoid this additional request. I will create a new question regarding this. – Daniel Bürckner Feb 02 '23 at 09:24