Identity Cloud

Implement SSO and SLO

Within SAML 2.0 you can implement single-sign on (SSO) and single logout (SLO). SSO is a familiar concept; however, SLO is the ability to terminate multiple login sessions by logging out of one central place.

There are two authentication initiations in which SSO can take place:

  • SP-initiated SSO: The SP initiates the login request.

    For example, if a user navigates to the SP first, then the SP directs to the IDP for the login. If the user already has a session on the IDP, then the IDP redirects the user back to the SP with a SAML assertion. If the user does not have a session, they enter their credentials. After a successful login, the user is redirected back to the SP with a SAML assertion. The user is allowed access to the SP application.

  • IDP-initiated SSO: The IDP initiates the login to the SP.

    For example, the user is already logged into the IDP and clicks an application (SP) to access the application. The IDP sends a SAML assertion to the SP. The user is allowed access to the SP application.

Identity Cloud provides two options for implementing single-sign on (SSO) and single logout (SLO) with SAML 2.0:

Integrated mode

Integrated mode SSO and SLO use a SAML2 authentication node on a service provider (SP), thereby integrating SAML 2.0 authentication into the Identity Cloud authentication process. The authentication node handles the SAML 2.0 protocol details for you.

Integrated mode supports SP-initiated SSO only because the authentication service that includes the SAML 2.0 node resides on the SP.

You cannot trigger IDP-initiated SSO in an integrated mode implementation.

Integrated mode does not support SLO.

Standalone mode

Standalone mode requires you invoke JSPs pages to initiate SSO and SLO.

The following table provides information to help you decide whether to implement integrated mode or standalone mode for your Identity Cloud SAML 2.0 deployment:

Table 1. Integrated or standalone mode?
Deployment task or requirement Implementation mode

You want to deploy SAML 2.0 SSO and SLO using the easiest technique.

Use integrated mode.

You want to trigger SAML 2.0 IDP-initiated SSO.

Use standalone mode.

You want to use the SAML 2.0 Enhanced Client or Proxy (ECP) single sign-on profile.

Use standalone mode.

Your IDP and SP instances are using the same domain name; for example, mydomain.net.(1)

Use standalone mode.

(1) Due to the way integrated mode tracks authentication status by using a cookie, it cannot be used when both the IDP and SP share a domain name.

Copyright © 2010-2023 ForgeRock, all rights reserved.