SAP Business ByDesign (ByD) supports service provider initiated as well as identity provider initiated
Single Sign-On (SSO) and
Single Log-Out (SLO) procedures. In this blog post I would like to address some frequently asked questions with regards to single log-out.
While single sign-on means creating a session based on a user-session at the identity provider (IdP), single log-out provides a procedure to close all sessions related to an IdP session at once.
Therefore the identity provider (IdP) and the service provider (SP, for example ByD) communicate with each other by using SAML2 logout request and logout response messages:
- A service provider issues a logout request to the IdP.
- The IdP determines the session participants and sends a logout request to every participating service provider.
- Every SP returns a logout response to the IdP.
- The IdP sends a logout response to the originating service provider from step 1.
SLO endpoint URLs of ByD are provided in the ByD SAML metadata, that you can download from the ByD SSO configuration UI.
Log-off screen
Typically the IdP provides you the possibility to configure a response location URL (log-off screen) that is processed by the IdP after all sessions are terminated. This URL should have public access as all user sessions have been terminated before.
Possible log-off screens are for example:
- any public web page
- Log-off screen of the Identity provider (in case of IdP-initiated SSO)
- Log-off screen of the Service provider, for example ByD (in case of SP-initiated SSO)
SAP Business ByDesign provides a log-off page with restart URL.
The ByD log-off URL provides 2 parameters:
- client_type: The parameter client_type=html or client_type=sl is your possibility to control if the ByD HTML5 UI or the ByD Silverlight UI is launched.
With 1708 we plan to provide a company setting option to use the ByD HTML5 UI by default. Long term HTML5 will become the default for all ByD customers and will be launched using the basic URL w/o parameter client_type=html.
- logoff: The parameter logoff=1 provides a restart to the same URL path from which the logoff was triggered. The parameter logoff=2 provides a restart URL using the SAML-aware ByD URL.
Examples:
The logoff page
https://myXXXXXX-sso.sapbydesign.com/sap/public/ap/ui/runtime?logoff=2&client_type=html
provides you a link that redirects you to the ByD HTML5 logon with SSO.
The logoff page
https://myXXXXXX-sso.sapbydesign.com/sap/public/ap/ui/runtime?logoff=2&client_type=sl
provides you a link that redirects you to the ByD Silverlight logon with SSO.
The logoff page
https://myXXXXXX-sso.sapbydesign.com/sap/public/ap/ui/runtime?logoff=2
provides you a link that redirects you to the ByD Silverlight logon with SSO. In 1708 the UI type (HTML5 or Silverlight) depends on your company settings. Longterm HTML5 will become the ByD default UI and hence the link redirects you to the HTML5 logon with SSO.
The logoff page
https://myXXXXXX-sso.sapbydesign.com/sap/public/ap/ui/runtime?logoff=1&client_type=html
provides you a link that redirects you to the ByD HTML5 logon w/o SSO.
The logoff page
https://myXXXXXX.sapbydesign.com/sap/public/ap/ui/runtime?logoff=1&client_type=html
provides you a link that redirects you to the ByD HTML5 logon w/o. SSO.
The logoff page
https://myXXXXXX.sapbydesign.com/sap/public/ap/ui/runtime?logoff=1&client_type=sl
provides you a link that redirects you to the ByD Silverlight logon w/o. SSO.
For non-sso URLs, always use the logoff parameter logoff=1.