PingFederate:SP SLO与IDP SLO-真的重要吗? [英] PingFederate: SP SLO vs. IDP SLO - Does it really matter?

问题描述

PingFederate文档请注意，您可以配置 SP或IDP单点注销(又名SLO).

The PingFederate documentation notes that you may configure either SP or IDP single-log-out (a.k.a. SLO).

当用户从其浏览器(即http://<PingFederate Base URL>/sp/startSSO.ping或http://<PingFederate Base URL>/idp/startSSO.ping)请求"Start-SLO"终结点时，该用户将启动SLO.

A user initiates SLO when that user requests a "Start-SLO" endpoint from their browser (i.e. either http://<PingFederate Base URL>/sp/startSSO.ping or http://<PingFederate Base URL>/idp/startSSO.ping).

我的问题:

• 这不只是名称上的区别吗??
• 在一天结束时，我们是否不只是以端点为目标?
• 此选择是否对SLO流程有实质性影响?

• Isn't this just a distinction in name only?
• At the end of the day, aren't we just targeting an endpoint anyway?
• Does this choice have any material impact on the SLO process?

@Scott T.有以下说法，此处:

@Scott T. had the following to say here:

如果用户在IdP上开始SLO流程，则可以-用户将 重定向回/idp/SLO.saml2作为最后一步.实际上，每个SP 您重定向到要注销的地址，将重定向回IdP到 注销下一个SP. 如果您从SP启动SLO流程，则 用户最终要停留在该SP的SLO端点.

If users start the SLO process at the IdP, then yes - users will be redirected back to /idp/SLO.saml2 as the last step. In fact, each SP that you redirect to for logout, will redirect back to the IdP to logout of the next SP. If you start the SLO process from an SP, then the last place users will end up is at that SP's SLO endpoint.

的确，如果PingFederate重定向到启动SLO的SP作为最后一步，那会很好，但这不是我的经验.

Indeed, it would be nice if PingFederate redirected to the SP that initated the SLO as the last step, but this hasn't been my experience.

也许我也应该问:

• 您如何指定启动SLO的SP?

编辑:根据@Scott T.的回答此处:

Per @Scott T.'s answer here:

我假设您在这里将PingFederate作为IdP和SP(可能 2个单独的安装).

I'm assuming here you have PingFederate as an IdP and SP (potentially 2 separate installs).

据我所知，IdP和SP的定义:

As I understand the definitions of IdP and SP:

• PingFederate是我的IdP 都不是我的SP之一.**
• 对于我的配置，PingFederate仅促进了 我的IdP和我的SP之间的开放令牌转移.
• 直到最近，我还相信这是一个完全有效的配置.
• 但是现在看来，这种配置不利于SLO.或至少与PingFederate充当我的IdP一样好.
  • 这正确吗?
  • PingFederate is neither my IdP nor one of my SPs.**
  • For my configuration, PingFederate merely facilitates the open token transfer between my IdP and my SP.
  • Until very recently, I was of the belief that this was a completely valid configuration.
  • But now it seems like this configuration doesn't facilitate SLO; or at least as nicely as it would if PingFederate was acting as my IdP.
    • Is this correct?

    **当我这样说时，我的意思是说我有:

    **When I say this, I mean to say that I have:

    • 一个独立的Web应用程序，用于对用户进行身份验证，并具有包含用户名和密码的后备存储(即数据库)-这是我的IdP.
    • 链接到我的IdP的多个独立Web应用程序可显示数据并向我的用户提供功能-它们充当我的SP.
    • A standalone web application which authenticates users, and has a backing store (i.e. a database) that includes user names and passwords - This acts as my IdP.
    • Multiple standalone web applications which are linked to my IdP which display data and provide functionality to my users - These act as my SPs.

    推荐答案

    我假设您在这里将PingFederate作为IdP和SP(可能需要2次单独安装).如果要从IdP启动SLO流程，请在以下位置请求它: http://pingfed-idp/idp/startSSO.ping .如果要从SP中启动SLO流程，请在以下位置请求它: http://pingfed-sp/sp/startSSO.ping .

    I'm assuming here you have PingFederate as an IdP and SP (potentially 2 separate installs). If you want to start the SLO process from your IdP, you would request it at: http://pingfed-idp/idp/startSSO.ping. If you want to star the SLO process from your SP, you would request it at: http://pingfed-sp/sp/startSSO.ping.

    这两种型号的流量都略有不同:

    There is a slight difference in flow from either model:

    如果您从IdP开始，则IdP将向您进行SSO会话的每个SP(一次一个)发送SAML 2.0 LogoutRequest消息.每个SP将从本地会话中注销用户，然后使用SAML LogoutResponse指示成功/失败重定向到SP.完成最终SP后，该过程将在IdP处结束.

    If you start at IdP, then the IdP will send a SAML 2.0 LogoutRequest message to each of the SP's (one at a time) where you have an SSO session. Each SP will logout the user from the local session, then redirect back to the SP with a SAML LogoutResponse saying success/fail. The process ends at the IdP once the final SP is done.

    如果从SP开始，则该SP将向IdP发送SAML 2.0 LogoutRequest，然后IdP向具有SSO会话的每个其他SP(一次一个)发送一个LogoutRequest.每个SP都会再次从本地会话注销用户，然后使用SAML LogoutResponse重定向到SP并说成功/失败.一旦IdP完成终止所有会话的操作，它就会向发起SLO的原始SP发送最终的LogoutResponse.

    If you start at the SP, then that SP will send a SAML 2.0 LogoutRequest to the IdP, then the IdP sends a LogoutRequest to every other SP (one at a time) where you have an SSO session. Each SP will again logout the user from the local session, then redirect back to the SP with a SAML LogoutResponse saying success/fail. Once the IdP is done terminating all sessions - it sends a final LogoutResponse to the original SP that initiated SLO.

    这篇关于PingFederate:SP SLO与IDP SLO-真的重要吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！