Implementing SSO and SLO
AM provides two options for implementing SSO and SLO with SAML v2.0:
- Integrated Mode
Integrated mode single sign-on and single logout uses a SAML2 authentication node or module on a service provider (SP), thereby integrating SAML v2.0 authentication into the AM authentication process. The authentication node or module handles the SAML v2.0 protocol details for you.
Note that integrated mode supports SP-initiated single sign-on only, because the authentication service that includes the SAML v2.0 node or module resides on the SP. You cannot trigger IDP-initiated single sign-on in an integrated mode implementation.
Integrated mode with chains supports both IDP-initiated and SP-initiated SLO.
Integrated mode with trees does not support SLO.
- Standalone Mode
Standalone mode requires that you invoke JSPs pages to initiate single sign-on and SLO. When implementing standalone mode, you do not require an AM authentication chain.
Tip
You can also configure Web and Java Agents to work alongside AM when performing SSO and SLO. See "Web or Java Agents SSO and SLO".
The following table provides information to help you decide whether to implement integrated mode or standalone mode for your AM SAML v2.0 deployment:
| Deployment Task or Requirement | Implementation Mode |
|---|---|
| You want to deploy SAML v2.0 single sign-on and single logout using the easiest technique. | Use integrated mode. |
| You want to integrate SAML v2.0 authentication into an authentication chain, letting you configure an added layer of login security by using additional authentication modules. | Use integrated mode. |
| You want to trigger SAML v2.0 IDP-initiated SSO. | Use standalone mode. |
| You want to use the SAML v2.0 Enhanced Client or Proxy (ECP) single sign-on profile. | Use standalone mode. |
Your IDP and SP instances are using the same domain name; for example, mydomain.net. [a] | Use standalone mode. |
[a] Due to the way integrated mode tracks authentication status by using a cookie, it cannot be used when both the IDP and SP share a domain name. | |