SAML defines the idp-initiated logout as a way to log users out of all service providers they are known to have authenticated for in the current session. DigiD supports logout by sending IdP initiated SOAP logout requests. These requests are not supported by a number of Service Providers (ADFS, Auth0), and therefore the Connectis Identity Broker cannot forward this request to such Service Providers. In this document we describe how our Polling Service can be used to work around this problem.
After a user logs in on DigiD, the Connectis Identity Broker will cache which user has logged in, and from which IdP, and links a random token to this entry.
Stored in Cache/database 1:
Sectorcode + bsn(hashed with salt?)
Date when created
Date when updated
The Connectis Identity Broker sends to the Service Provider a SAML Response with as attribute: “login-token”, which contains the token linked to this entry.
If the broker gets a logout response or an IdP initiated logout request he cannot forward to the Service Provider, it will remove the corresponding entry from the cache.
The Service Provider can poll the broker on a REST endpoint with the login token to check if the user is still logged in on the broker.
The broker will return status code 204 if it can find the token in the cache (the user is logged in) and 404 if it cannot find the token (the user is not logged in or the token does not exist).
When the user is sent back to digid for re-authentication and the user logs in successfully, the updateTime will be refreshed.
The cache entries will be automatically removed after they time out.