Implement SSO and SLO
You can implement both single sign-on (SSO) and single logout (SLO) with AM SAML 2.0.
SSO is the ability to log in once but access multiple applications, whereas SLO is the ability to terminate multiple login sessions by logging out of one central place.
AM provides two ways to implement SSO: integrated mode and standalone mode. You must use standalone mode to implement SLO because integrated mode supports SSO only.
SSO can be initiated either from the SP or the IdP:
- SP-initiated SSO
-
The SP initiates the login request.
A common reason to choose SP-initiated SSO is the ability for end users to access specific URLs within the application immediately upon login.
For example:
-
If an end user navigates to the SP first, then the SP directs them to the IdP for the login.
-
If the end user already has a session on the IdP, then the IdP redirects them back to the SP with a SAML assertion.
-
If the end user doesn’t have a session, they enter their credentials. After a successful login, they are redirected back to the SP with a SAML assertion.
-
The end user can access the SP application.
Find an example use case in Grant access to Google Workspace.
-
- IdP-initiated SSO
-
The IdP initiates the login to the SP.
An IdP-initiated SSO flow can simplify the user experience by making an application appear part of the IdP’s portal.
For example:
-
The end user is already logged into the IdP and clicks the application (SP) they want to access.
-
The IdP sends a SAML assertion to the SP.
-
The end user is allowed access to the SP application.
Find an example use case in Grant access to a pension application through a workplace portal.
-
Integrated or standalone mode
Your deployment requirements determine whether you should implement SAML 2.0 in integrated or standalone mode.
- Integrated mode
-
This option uses nodes, in particular the SAML2 Authentication node, to integrate SAML 2.0 SSO into the AM authentication process.
- Standalone mode
-
Access servlet URLs to initiate SSO and SLO.
You can also configure web and Java agents to work alongside AM when performing SSO and SLO. Find out more in Web or Java agents SSO and SLO.
| Deployment task or requirement | Implementation mode |
|---|---|
You want to deploy only SAML 2.0 SSO using the easiest technique. |
Use integrated mode. |
You want to deploy both SAML 2.0 SSO and SLO. |
Use standalone mode. |
You want to deploy SAML 2.0 IdP-initiated SSO. |
Use a standalone URL to trigger the flow. Set configuration to run in integrated mode. |
You want to use the SAML 2.0 Enhanced Client or Proxy (ECP) SSO profile. |
Use standalone mode. |
Your IdP and SP instances are using the same domain name; for example, |
Use standalone mode. |
(1) You can’t use integrated mode when both the IdP and SP share a domain name because of the way it tracks the authentication status using a cookie.