Session Termination RP-PEP

There are several triggers that can cause a user's SSO session on the RP-PEP to be terminated. These are described below. Basically, there is no partial logout within the SSO domain (only on one application). The logout always takes place globally for the entire SSO session. The scenarios described below are for applications that are hosted in the Federal Administration networks and are thus protected by an RP-PEP.

Session termination by logout

Basically, the logout from the SSO session is started on the RP-PEP. The user calls up a URL in one of the applications used in the session, which triggers the logout on the RP-PEP. The RP-PEP then informs all the applications used in the SSO session on the PEP so that they can close the session.

Logout URI on the PEP
The application SHALL offer the user the possibility to terminate his session on the PEP and thus also in the application. The RP-PEP does not support SAML 2.0 Single Logout.
In principle, any URI of the application that is located in an authenticated area on the RP-PEP can be used as a logout URI. The logout of the session is triggered by the query parameter "logout" of the RP-PEP, if this is sent in a request in the authentic area.

Ideally, the logout link in the application corresponds to the URI of the entry page or a dedicated logout page of the application, which is supplemented by the query parameter logout.
Correct
https://www.gate.amt.admin.ch/appl1/private/welcome.html?logout

    => The logout URI is located in the authentic '/appl1/private/*' area. The logout URI is set to the entry page of the application with the query parameter ?logout.
False
https://www.gate.amt.admin.ch/appl1/public/overview.html?logout
    => The logout URI is located in the non-authentic '/appl1/public/*' area. Scope.
False
https://www.gate.amt.admin.ch/appl1/private/logout.do?logout
    => The logout URI is set to the logout URI of the application. If a re-login is made on this URI after a logout, the session on the application is closed again immediately.

LogoutURI
Application sessions are linked to the SSO session in that application session cookies are not passed on to the web browser, but are retained on the PEP in a cookie cache of the SSO session context. A logout URI can be configured in the RP-PEP for each application. If this URI is defined, each application used within this SSO session will be notified when the SSO session is terminated. For this purpose, the RP-PEP sends an HTTP GET request to the defined URI, including the application-specific session cookies. In this way, applications can be informed by the PEP about terminated SSO sessions in order to close the user's session cleanly.

Session Logout Procedure
The user-controlled termination of the session (Logout) on the RP-PEP proceeds as shown below. SAML 2.0 Single Logout (SLO) is not supported by eIAM. The initial situation is an existing SSO session of the user with the RP-PEPP and one established session each between the RP-PEP and application A and application B.

Session termination by logout
Session termination by logout


  1. The Web Browser sends a request for Application A to the RP-PEP in the current session.
  2. The RP-PEP sends a request to application A in the current session.
  3. The application A sends a response to the RP-PEP.
  4. The RP-PEP sends a response to the web browser.
  5. The web browser sends a request for application B to the RP-PEP in the current session.
  6. The RP-PEP sends a request to application B in the current session.
  7. The application B sends the response to the RP-PEP.
  8. The RP-PEP sends the response to the Web Browser.
  9. The user uses the Logout function in application A and the Web Browser sends the request to the Logout URI.
  10. The RP-PEP calls the Logout URI of application A and sends the session cookie of application A along with it.
  11. Application A invalidates the user's session.
  12. Application A sends the logout response to the RP-PEP.
  13. The RP-PEP calls the logout URL of application B and sends the session cookie of application B with it.
  14. Application B invalidates the user's session.
  15. Application B sends the logout response to the RP-PEP.
  16. The RP-PEP invalidates the user's session.
  17. The RP-PEP sends the web browser an HTML page confirming the completed logout.

Session termination by logout applications with STS-PEPs.
The following sequence explains the session termination process for applications which are not hosted behind an RP-PEP but somewhere else (BV-Net, Cloud). Since these applications do not use the RP-PEP as a front door for all connections between the web browser and the application, the RP-PEP cannot be the master over all sessions. However, as the SAML IdP from the application's point of view, the RP-PEP is the only entity that knows all service providers used within the SSO session and can inform them about the end of a session.

The initial situation is an existing session of the user's browser with the RP-PEP. In the SSO session, application A and application B were used by the user. Both applications have subsequently sent a SAML AuthnRequest to the RP-PEP and received a SAML response from it.

Session termination by logout for applications outside the networks of the Federal Administration
Session termination by logout for applications outside the networks of the Federal Administration

  1. The user sends an HTTP request to the logout URI of application A.
  2. Application A creates a signed SAML logout request to the RP-PEP. It embeds the SAML LogoutRequest in a self-submitting HTML form and sends it as HTTP response to the web browser.
  3. The Web Browser sends the LogoutRequest via HTTP POST to the Single Logout Lo-cation URL of the RP-PEP.
  4. The RP-PEP as IdP checks the SAML LogoutRequest for its signature and searches for the corresponding SSO session. It forms a list of all service providers to be informed about the logout. The RP-PEP creates a signed SAML LogoutRequest for the attention of application B.
  5. The RP-PEP transmits the SAML Logout Request via a self-submitting HTML form in the HTTP response to the Web Browser.
  6. The Web Browser sends the LogoutRequest via HTTP POST to the SingleLogout Location URL of Application B.
  7. Application B checks the SAML LogoutRequest, identifies the session and generates a signed SAML LogoutResponse. The session on application B is terminated.
  8. The LogoutResponse is transmitted to the web browser via a self-submitting HTML form in the HTTP response.
  9. The Web Browser sends the LogoutResponse via HTTP POST to the RP-PEP.
  10. The RP-PEP checks the LogoutResponse. If other applications were used in the SSO session, they will be informed of the end of the session in the same way. If application B was the last application that did not initiate the SAML Single-Logout, the RP-PEP creates a signed SAML Logout Response for the attention of application A.
  11. The logout response is embedded in a self-submitting HTML form and sent to the user's browser in the HTTP response.
  12. The web browser sends the LogoutResponse via HTTP POST to application A.
  13. Application A checks the LogoutResponse and terminates the user's session.
  14. Application A sends confirmation to the user's web browser in the HTTP response that the logout has been performed and the SSO session has been terminated.

Session termination due to session inactivity

Another possibility why the user's session on the RP-PEP is invalidated and terminated is due to prolonged inactivity on the session. The termination of inactive sessions is done on the one hand for security reasons and on the other hand to free up system resources that are not needed.

The termination of the session initiated by the RP-PEP due to a longer period of inactivity is described in the following procedure. Since the logout was not initiated by a user re-request, no information about the logout can be displayed to the user. If the user sends a request to the RP-PEP again after ending the session on the RP-PEP due to too long inactivity, a new session is started with the user's web browser.

Session termination due to session inactivity
Session termination due to session inactivity


  1. The web browser sends an HTTP request for application A to the RP-PEP in the running session.
  2. The RP-PEP sends the HTTP request to application A in the current session.
  3. The application A sends the HTTP response to the RP-PEP.
  4. The RP-PEP sends the response to the Web Browser.
  5. The web browser sends an HTTP request for application B to the RP-PEP in the current session.
  6. The RP-PEP sends the HTTP request to application B in the current session.
  7. The application B sends the HTTP response to the RP-PEP.
  8. The RP-PEP sends the HTTP response to the web browser.
  9. After the Inactivity Interval defined on the RP-PEP has expired (time period in which no more requests were received from the PEP on this session), the RP-PEP initiates the logout on application A on its own and sends an HTTP request to the logout URL of the application, together with the session cookie issued by the application.
  10. Application A invalidates the user's session.
  11. Application A sends an HTTP response to the RP-PEP. This HTTP response is not forwarded to the web browser because the browser did not make an HTTP request.
  12. The RP-PEP sends an HTTP request to the logout URL of application B together with the session cookie that application B has issued.
  13. The application B sends an HTTP response to the RP-PEP. This HTTP response is not forwarded to the web browser because the browser has not made an HTTP request.
  14. The RP-PEP invalidates the user's session. The termination of the session on the PEP occurs regardless of the applications response to the call to the logout URL.

Session termination by reaching the maximum session duration

Another possibility why the user's session on the RP-PEP is invalidated and terminated is when the maximum allowed session lifetime is reached. If this is reached, the session is automatically invalidated on the RP-PEP and all applications used during the session are notified by the RP-PEP that the session has been invalidated. The session will be invalidated even if there is still activity on the session. The maximum session duration on the RP-PEP is limited.

The termination of the session initiated by the RP-PEP when the maximum session duration is reached is as described below. SAML 2.0 Single Logout (SLO) is not supported.

Session Scheduling Max. Session Lifetime
Session Scheduling Max. Session Lifetime


The initial situation is an already existing session between the user's web browser and the RP-PEP. Applications A and B are used during the session.
  1. The web browser sends an HTTP request to the RP-PEP for application A.
  2. The RP-PEP forwards the HTTP request to application A after checking it.
  3. Application A processes the HTTP request and sends the HTTP response to the RP-PEP.
  4. The RP-PEP sends the HTTP response to the Web Browser.
  5. The web browser sends an HTTP request to the RP-PEP for application B.
  6. The RP-PEP sends the HTTP request to application B after checking it.
  7. Application B processes the HTTP request and sends the response to the RP-PEP.
  8. The RP-PEP sends the HTTP response to the web browser.
  9. The user's session on the RP-PEP reaches the maximum lifetime.
  10. The RP-PEP sends an HTTP request to the logout URL of application A together with the session cookie of application A.
  11. Application A invalidates the user's session.
  12. Application A sends the HTTP response to the PEP. This HTTP response is not passed on to the user's web browser.
  13. The RP-PEP sends an HTTP request to the logout URL of application B together with the session cookie of application B.
  14. Application B invalidates the user's session.
  15. Application B sends the HTTP response to the RP-PEP. This response is not forwarded by the RP-PEP to the user's browser.
  16. The RP-PEP invalidates the user's session.
  17. The user's web browser sends a new HTTP request to the RP-PEP together with the now invalid RP-PEP session cookie.
  18. The RP-PEP checks the HTTP request and detects that a new security context needs to be established.
  19. The RP-PEP redirects the web browser to the RP-PEP login URL. A new session cookie is set in the web browser with the HTTP response.
  20. The web browser sends the HTTP request to the RP-PEP login URL.
The further establishment of the session and the forwarding of the requests are carried out as described above.