Wednesday, May 15, 2019

Perform a SAML Single Logout (SLO) using the RelayState parameter

Currently, SP-initiated SAML SLO (Single Logout), or logging out from NetSuite to destroy the IDP session is not yet supported in NetSuite. Only the IDP-initiated SLO (logging out from the IDP to destroy the session in NetSuite) is supported. This has been logged as enhancement # 247574.

The alternate solution is to enforce the IDP-inititiated SLO wherein a new session will get created by calling the SAML SSO link and indicate the IDP-initiated SLO URL as the RelayState parameter. Here's the sample URL:

http://SSOInitURL.com&RelayState=http://IDPSLOURL.com

1. Write a simple application that only aims to redirect to the IDP-initiated SSO and SLO link. Example:

<?php
header('Location: http://localhost:9080/openam/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=http://www.netsuite.com/sp&RelayState=http://localhost:9080/openam/saml2/jsp/idpSingleLogoutInit.jsp?metaAlias=/idp%26spEntityID=http://www.netsuite.com/sp');
?>

2. Host the file on the server and get the URL to call this file.
3. Login to NetSuite and navigate to Setup > Integration > SAML Single Sign-on.
4. Indicate the hosted file's URL on the "Logout Landing Page". This will call the hosted file once the user hits on the 'Logout' link of NetSuite.
As an example, see the following screenshot:


5. Hit on Submit.
6. To test, user has to login to NetSuite via SAML and hit on the 'Logout' link located at the upper-right corner of the page.

No comments:

Post a Comment