Identity Cloud

Implement SSO and SLO

AM provides two options for implementing SSO and SLO with SAML v2.0:

Integrated mode

Integrated mode single sign-on and single logout uses a SAML2 authentication node on a service provider (SP), thereby integrating SAML v2.0 authentication into the AM authentication process. The authentication node handles the SAML v2.0 protocol details for you.

Integrated mode supports SP-initiated single sign-on only, because the authentication service that includes the SAML v2.0 node resides on the SP.

You cannot trigger IDP-initiated single sign-on in an integrated mode implementation.

Integrated mode with trees does not support SLO.

Standalone mode

Standalone mode requires that you invoke JSPs pages to initiate single sign-on and SLO.

The following table provides information to help you decide whether to implement integrated mode or standalone mode for your AM SAML v2.0 deployment:

Table 1. Integrated or Standalone Mode?
Deployment Task or Requirement Implementation Mode

You want to deploy SAML v2.0 single sign-on and single logout using the easiest technique.

You want to trigger SAML v2.0 IDP-initiated SSO.

You want to use the SAML v2.0 Enhanced Client or Proxy (ECP) single sign-on profile.

Your IDP and SP instances are using the same domain name; for example,

(1) Due to the way integrated mode tracks authentication status by using a cookie, it cannot be used when both the IDP and SP share a domain name.

Copyright © 2010-2023 ForgeRock, all rights reserved.