IdP initiated login and logout process
Starting from version 9.1.02, Remedy Single Sign-On (Remedy SSO) supports Identity Provider (IdP) initiated login and logout.
IdP initiated login
In an IdP initiated login, a user gains access to the IdP site first and then clicks on one of the services provided by the remote Service Provider (SP). After the user selects the required service, the IdP initiates the authentication process.
IdP initiated login has the following advantages:
- In an SP initiated login, users need to use different links to gain access to different services provided by a service provider. Hence they might need to bookmark all links. The advantage of using IdP initiated login over SP initiated login is that end users need to use only one link, that is the IdP link, to gain access to any services provided by a service provider. For example, if the IdP is AD FS 2.0, the user might enter the URL to gain access to the IdP site.
- Users get the same SSO experience for gaining access to BMC products and the third-party products as they click the same IdP link to gain access to these products.
In the IdP initiated single logout (SLO), if a user logs out from any of the applications belonging to a single login session, the user gets logged out from all applications, BMC and third-party, that belong to the same session. IdP initiated logout is triggered when the user clicks a logout option from the IdP logout page.
- Customers get the same logout experience for both BMC and third-party products as they click the same link on the IdP site to log out from IdP and all applications provided by different SPs that share the common SSO session.
- When the user logs out from IdP, the user gets logged out from all other logged in applications including Remedy SSO. After logging out, if the user tries to gain access to any of the applications, the user is authenticated again.
To enable the SLO feature, ensure that you provide the single logout service information in the SP metadata. For more information about the single logout service, see SAMLv2 authentication process.
For more information, refer the following topics:
IdP initiated login workflow
The following table provides the sequence of events that occur for the IdP initiated login.
|1||User enters the IdP link in a browser.|
|2||Browser sends the request to the IdP.|
|3||IdP requests for user credentials if the user does not have an existing local security context.|
|4||User enters the credentials and logs into the IdP server.|
|5||IdP creates a local security context for the user and displays a list of services that are offered by the SP.|
|6||User clicks the link of the required service.|
IdP invokes its SSO service that creates a SAML assertion and places this assertion in the response message of an HTML form.
IdP sends the HTML form to the browser.
|9||Browser sends the HTML form to Assertion Consumer Service of the Remedy SSO server.|
|10||Assertion Consumer Service validates the digital signature on the SAML assertion. After validation, the Assertion Consumer Service extracts the response message from the HTML form to create a local logon security context of the user on the Remedy SSO server.|
|11||Remedy SSO server retrieves the service URL from the HTML form and sends an HTTP redirect response to the browser to access the service.|
|12||SSO agent of the service verifies the access check for the user. If the user has the correct authorization, the SSO agent returns the service to the browser.|
IdP initiated single logout workflow
|1||User clicks the logout link on the IdP logout page.|
|2||IdP determines all applications that belong to that session.|
|3||IdP builds a digitally signed SAML log out request that represents the security context of the user and places this assertion in an HTML form as a SAML request.|
|4||IdP uses the HTTP redirect binding to send the log out request to all service providers including Remedy SSO.|
|5||Remedy SSO performs the following tasks:|
|6||IdP redirects the client browser to the IdP final logout URL.|