The Security Assertion Markup Language (SAML) has a single logout option to ensure that all identity provider (IdP) sessions for a user are properly closed.
With SAML single sign-on (SSO), you only need to log in once, and can then access several web sites without additional login prompts. This is convenient, but potentially also risky. If one or more sessions are not properly closed, they are vulnerable to attack. By using SAML single logout you can eliminate that risk.
Two alternatives exist for SAML single logout:
- Logout initiated by the IdP.
- Logout initiated by the service provider.
Single logout initiated by the service provider
There are two use cases for single logout initiated by the service provider: one where you actively log out from the sessions, and one where the session times out.
In the user logout use case, you actively log out, for example, by clicking logout. The session is destroyed and the SAML single logout request is sent to the IdP. Then the IdP deletes the IdP session for the user and sends a logout response to the service provider (Qlik Sense). Qlik Sense then redirects to the logout page.
In the session timeout use case, the session times out, the web client is notified, and the SAML single logout request is sent to the IdP. Then the IdP deletes the IdP session for the user and sends a logout response to the service provider (Qlik Sense). Qlik Sense then redirects to the logout page.
Enabling SAML single logout
Before you enable SAML single logout for Qlik Sense, you need to ensure your identity provider supports it, and that it is configured correctly. For example, some identity providers require that you upload a certificate. If a certificate is required, we recommend that you use the server.pem certificate that is available in the following folder: %ProgramData%\Qlik\Sense\Repository\Exported Certificates\.Local Certificates, or a third-party certificate, if you have configured the proxy to such a certificate.
If you are upgrading from an earlier version of Qlik Sense, you must set up the IdP for SAML single logout.
Do the following:
Make sure that your IdP is set up to support SAML single logout. The metadata file should include the logout locations where Qlik Sense will send the logout requests.
Download new metadata from the IdP (usually available from the identity provider's web page).
In the Authentication section, on the virtual proxy edit page, add the SAML IdP metadata file with settings for SAML single logout.
On the same page, select SAML single logout.
Download the new metadata file from the service provider (Qlik Sense).
Upload the service provider metadata file to the IdP.
Make sure that your IdP sends the NameID during SSO. For example, Active Directory Federation Services (ADFS) require additional settings to send NameID.
If your IdP requires a certificate, use the file server.pem that is available from %ProgramData%\Qlik\Sense\Repository\Exported Certificates\.Local Certificates. For example, to activate single logout in OKTA you must upload a service provider certificate.
- If the proxy service is restarted, or the proxy settings are changed, the web client will lose the session. In the case where the proxy is restarting, there is no way of sending logout requests to the IdP. As a consequence, the web client is automatically logged in, because the IdP session is still valid, unless it has expired.
- Logout requests going from the proxy to the IdP will only support SAML HTTP Redirect binding. Incoming logout responses from the IdP to the proxy will support both SAML HTTP Redirect and SAML HTTP POST binding.