When you are active on a session on the service provider and a timeout occurs, the service provider initiates a logout.You can configure this timeout by using the web.xml parameter in the Access Gateway ESP, then ESP initiates a logout message to the Access Manager Service Provider over the SOAP back channel when the timeout is reached. After the Service Provider receives this message, it creates a SAML 2.0 logout request to the remote Identity Provider over SOAP.
To send session timeout message:
Open the web.xml file:
Linux: /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/
Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nidp\WEB-INF/
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF/
Add the following lines to the file:
<context-param>
<param-name>notifysessionTimetoIDP</param-name>
<param-value>true</param-value>
</context-param>
ESP will send a ESP session timeout message then on timeout, the service provider will send a samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol request to the remote Identity provider.
Save the file, then copy it to each Identity Server in the cluster.
Restart Tomcat on each Identity Server in the cluster.
Linux: Enter the following command:
/etc/init.d/novell-tomcat5 restart
Windows: Enter the following commands:
net stop Tomcat5
net start Tomcat5
If you set the session synchronization between the Service Provider and remote Identity Provider, then the remote Identity Provider never sends the logout request to the active Service Provider.