For other requirements, see Use cases Single Sign-On.
Sessions at participants
Participants MAY maintain a session for single sign-on if the user so indicated. The following data MAY be maintained in this session:
- an Herkenningsmakelaar (HM) maintains user preferences (selected AD and MR).
- an Authenticatiedienst (AD) maintains the identity of the user. Based on this session, the AD MAY directly issue a new authentication assertion to the service providers making a request in which single sign-on is specified. The requirements for the maximum life span must be followed.
- an Machtigingenregister (MR) maintains user preferences (chosen party to represent).
The maximum life span of a session at the AD is 2 hours unless a new authentication assertion is issued in the meantime whereby the session MAY be extended to a maximum of 2 hours.
Participants MAY provide a user the option to log out.
This option has the same function as logging out from a service provider (see below). Participants and service providers must ensure that cookies are deleted after logging out or after the expiry of an authentication session, and that previously received forms that are resubmitted generate an error.
Shared domain cookies
For cookies in which the choice for an preferred AD is saved, the Identity Provider Discovery Profile is applied as follows:
- The shared domain is '*.sso.eherkenning.nl'
- The name of the cookie MUST be '_saml_idp'
- The cookie MUST have the path prefix '/'.
- The parameters Secure and HttpOnly MUST be used.
- The cookie is persistent.
- The content of the cookie consists of one or more Base-64 encoded URI values, each separated by a single space.
- Each URI value represents the unique identification number for an AD as defined in EntityID. When there is no AD related to the value stored in the cookie, the HM MUST act as if no cookie was set and MUST uncheck the checkbox stating "Bewaar selectie authenticatiedienst".
To ensure that the common domain cookies are available for all HMs, they are sent from the browser of the user to a cookie server that belongs to the respective HM but placed in the shared domain. Redirects and/or a script can be used to include this information in the HTML page that is sent to the user.
If a script is used, cookie handling must be programmed in such a way that, if the cookie server does not respond, the process is continued as if a cookie value did not have to be read or written. If redirects or scripts are used, the HM SHOULD detect when a sent request is not being answered and the same request is being resubmitted. In that case, repeated requests must follow an alternative path without cookies. The objective of doing this is to prevent obstructing the process when cookies do not work.
See also Proces onderhoud cookieserver.
Sessions at service providers
A service provider using SSO is responsible for local session management. During the session, the service provider MUST permanently offer and display a log-out option. A service provider must implement the log-out functionality as follows:
- Session cookies must be deleted and the session must be destroyed
- Submitted forms must be deleted (so that resubmitting the same form from the browser generates an error message)
- The session is then redirected to the HM and a logout message sent according to Interface specifications DV-HM