12.3 Defining Options for Liberty or SAML 2.0

According to the Single Logout Profile in OASIS SAML V2.0 profiles, session users should use a front channel binding. This profile is initiated to maximize the likelihood that the session authority can successfully propagate the logout to all users.

  1. In the Administration Console, click Devices > Identity Servers > Servers > Edit > Liberty or SAML 2.0 > Identity Provider > Options.

  2. Enable Front Channel Logout: After this option is enabled, Service Provider initiates a logout at the Identity Provider by using the HTTP Redirect method.

  3. Configure Front Channel Logout for Access Gateway Initiated Logout: In addition to enabling the front channel logut, add the following parameters at the NESP web.xml and restart tomcat:

Add the following parameters in the web.xml below the ldapLoadThreshold context param:

<context-param> <param-name>forceESPSLOHTTP</param-name> <param-value>true</param-value> </context-param>

To restart tomcat:

Linux: Enter the following command:/etc/init.d/novell-tomcat5 restart

Windows: Enter the following commands:net stop Tomcat5net start Tomcat5