Configuring login and logout endpoints

In order to authenticate a given user, the SAML Session Provider sends an authentication request to the identity provider (AD FS, InforSTS, or PingFederate). The response (assertion) is returned to one of a set of pre-configured login endpoints also known as assertion consumer service locations. These are endpoints where the SAML Session Provider receives and handles assertions from the IdP.

When a web application in the grid requires a session, this session is set as a cookie on the HTTP response. It is important that the assertion from the IdP is sent to the same host address as the one used in the original request from the client. Otherwise, the session will be set on the wrong context, and the client will not be able to access the desired resources. Both the SAML Session Provider and the IdP must be configured to use the correct assertion consumer services.

If you access secured web applications in the grid via a proxy server or load balancer, you must add assertion consumer services representing the proxy host. For more information, see Load Balancer Considerations.

The SAML protocol also supports single logout among all configured SAML service providers. In order for SAML Session Provider to participate in the logout process, it must have a logout endpoint configured and the identity provider which initiates the logout requests must know about the endpoint. This setup is primarily used in cloud installations.