SLO Polling Service

IDP-initiated SLO functionality for non supporting Service Providers

SAML defines the idp-initiated logout as a way to log users out of all service providers they are known to have authenticated for in the current session. DigiD supports logout by sending IdP initiated SOAP logout requests. These requests are not supported by a number of Service Providers (ADFS, Auth0), and therefore the Connectis Identity Broker cannot forward this request to such Service Providers. In this document we describe how our Polling Service can be used to work around this problem.

Login flow

After a user logs in on DigiD, the Connectis Identity Broker will cache which user has logged in, and from which IdP, and links a random token to this entry.

Stored in Cache/database 1:

Nameid

Idp

Login-token

CreationTime

UpdateTime

Sectorcode + bsn(hashed with salt?)

Digid entityid

Random uuid

Date when created

Date when updated

The Connectis Identity Broker sends to the Service Provider a SAML Response with as attribute: “login-token”, which contains the token linked to this entry.

Logout flow

If the broker gets a logout response or an IdP initiated logout request he cannot forward to the Service Provider, it will remove the corresponding entry from the cache.

Polling

The Service Provider can poll the broker on a REST endpoint with the login token to check if the user is still logged in on the broker.

broker.com/rest/sso/status/{login-token}

The broker will return status code 204 if it can find the token in the cache (the user is logged in) and 404 if it cannot find the token (the user is not logged in or the token does not exist).

Keep alive

When the user is sent back to digid for re-authentication and the user logs in successfully, the updateTime will be refreshed.

Clean up

The cache entries will be automatically removed after they time out.