Scenario:  AAA Vserver on Citrix ADC as SAML IDP used by Multiple SPs

Login:
User Logs in to SP1 and is redirected to AAA Vserver for authentication, post successful authentication user is redirected back to SP1 with SAML Assertion. 

User Logs in to SP2 and is redirected to AAA Vserver for authentication, user would already have session cookies from AAA Vserver so auth is seamless and user is redirected back to SP2 with SAML Assertion. 

Logout
At this point if user logs out from SP1, then SP1 will redirect the user to AAA Vserver with SAML logout request and ADC will log the user out and redirect the user back to SP1 with a Logout Response. 

Then ADC will look for other SPs where user is logged into and send back-channel logout requests to each SP directly. This communication will be initiated from SNIP to the SLO Endpoint of the SP as configured in the IDP profile. In this example SP2 will receive the back-channel SLO request from ADC

   Dependencies for the back-channel SLO to work

1. ADC should be able to resolve the SLO endpoint FQDN to an IP address
2. There should be reachability between SNIP to SLO FQDN's resolved IP Address on port 443 / 80 depending on the SLO url.
3. SP should support back-channel Logout

Packet trace from Test Environment, that shows the expected SLO flow
Client IP: 10.101.255.87
AAA Vserver IP: 10.110.201.88
SNIP: 10.110.201.62
SP1: 10.110.201.87
SP2: 10.110.202.8

Incoming Logout Request from Client (After being redirected from SP1)



Debug Logs Generated in ADC after receiving above logout request, note ADC has identified that there is another SP, SP2 for which it needs to send the back-channel logout request and sends it directly from snip


Logout Response sent to client by redirecting to SP1 (the initiating SP)


Back-Channel Logout request sent from SNIP to SP2


Logout Response Received from SP2

SAML SLO Behavior with Multiple SP and Citrix ADC and IDP