5 Replies Latest reply on Nov 30, 2010 5:55 PM by jeanluc

Can PicketLink check if the IDP has invalidated the session (aka "kick a user"?)

jeanluc Nov 30, 2010 9:57 AM

Hi (Marcel, most likely you will answer first),

Is there a way for PicketLink to check periodically if the session is still valid in the SSO server or, even better, for the IDP (OpenSSO in our case) to send a message to the SP to invalidate a session? We would like to implement a mechanism to forcefully log out a user if need be, but still maintain a sensible session timeout for users (i.e., setting it at 5 minutes would be a major inconvenience).

Thanks,

-JL

1. Re: Can PicketLink check if the IDP has invalidated the session (aka "kick a user"?)

jeanluc Nov 30, 2010 10:08 AM (in response to jeanluc)

After more research, I see that SAML allows IDP-initiated logouts (which lead to a logout request sent from the IDP to the SP and the response in the opposite direction).

Is this possible with Picket Link?
Actions
2. Re: Can PicketLink check if the IDP has invalidated the session (aka "kick a user"?)

marcelkolsteren Nov 30, 2010 5:51 PM (in response to jeanluc)

Yea, sure, this is supported. In fact, the PicketLink SP even doesn't know whether it was an IDP-initiated logout or a logout initiated by another SP which participated in the same session. In both cases, it handles the logout request.

More behind the hood of PicketLink: the SamlSingleLogoutReceiver not only has a processIDPResponse method (for handling the response to a logout initiated by PicketLink), but also a processIDPRequest method (for handling a logout request coming in from the IDP).

These days there was a forum discussion about this IDP-initiated single logout functionality:

http://community.jboss.org/message/573566#573566
Actions
3. Re: Can PicketLink check if the IDP has invalidated the session (aka "kick a user"?)

jeanluc Nov 30, 2010 5:45 PM (in response to marcelkolsteren)

Great. Thanks. Is there any configuration needed to enable it or will it just be a regular SAML request-response between the IDP and the SDP?
Actions
4. Re: Can PicketLink check if the IDP has invalidated the session (aka "kick a user"?)

marcelkolsteren Nov 30, 2010 5:53 PM (in response to jeanluc)

I was still editing my response when your answer to the previous version of my response was coming in. So please read the updated version for some more details.

Regarding your last question: no additional configuration is required.
Actions
5. Re: Can PicketLink check if the IDP has invalidated the session (aka "kick a user"?)

jeanluc Nov 30, 2010 5:55 PM (in response to marcelkolsteren)

Perfect, thanks!
Actions

Go to original post