Implement SSO and SLO
AM provides two options for implementing SSO and SLO with SAML v2.0:
- Integrated mode
-
Integrated mode single sign-on and single logout uses a SAML2 authentication node on a service provider (SP), thereby integrating SAML v2.0 authentication into the AM authentication process. The authentication node handles the SAML v2.0 protocol details for you.
Integrated mode supports SP-initiated single sign-on only, because the authentication service that includes the SAML v2.0 node resides on the SP.
You cannot trigger IDP-initiated single sign-on in an integrated mode implementation.
Integrated mode with trees does not support SLO.
- Standalone mode
-
Standalone mode requires that you invoke JSPs pages to initiate single sign-on and SLO.
The following table provides information to help you decide whether to implement integrated mode or standalone mode for your AM SAML v2.0 deployment:
Deployment Task or Requirement | Implementation Mode |
---|---|
You want to deploy SAML v2.0 single sign-on and single logout using the easiest technique. |
Use integrated mode. |
You want to trigger SAML v2.0 IDP-initiated SSO. |
Use standalone mode. |
You want to use the SAML v2.0 Enhanced Client or Proxy (ECP) single sign-on profile. |
Use standalone mode. |
Your IDP and SP instances are using the same domain name; for example, |
Use standalone mode. |
(1) Due to the way integrated mode tracks authentication status by using a cookie, it cannot be used when both the IDP and SP share a domain name.