When you are in an active session on the service provider and a time-out occurs, the service provider initiates a logout. You can configure this time-out by using the web.xml parameter in Access Gateway ESP. ESP initiates a logout message to the Access Manager service provider over the SOAP back-channel when the time-out is reached. After the service provider receives this message, it creates a SAML 2.0 logout request to the remote identity provider over SOAP.
To send session time-out message:
Click Devices > Access Gateways > Edit > Reverse Proxy /Authentication > ESP Global Options.
Remove the pound (#) symbol before notifysessionTimetoIDP and set the value as true.
ESP sends a ESP session time-out message. After time-out, the service provider sends a samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol request to the remote identity provider.
Restart Tomcat on each Identity Server in the cluster: /etc/init.d/novell-idp restart
For the Docker deployment, perform the following steps:
Run the kubectl get pods command to view the Access Manager pods.
Go to the Identity Server pod by running kubectl exec --namespace <name-of-the-namespace> -it pod/<name-of-the-identity-server-pod> -- sh.
Run /etc/init.d/novell-idp restart orsystemctl restart novell-idp.service.
If you set the session synchronization between a service provider and a remote identity provider, the remote identity provider never sends the logout request to the active service provider.