...
Before installing, please be aware of the difficulties of Single Logout:
https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues
Please note: This plugin replaces the Shibboleth IdP 2.4 default SAML2SLO and SAML2LogoutRequestProfile.
For more information on the default implementation, see https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableSLO
...
<ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<ph:RequestPath>/SAML2/Redirect/SLO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<ph:RequestPath>/SAML2/POST/SLO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<ph:RequestPath>/SAML2/POST-SimpleSign/SLO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
<ph:RequestPath>/SAML2/SOAP/SLO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:mace:shibboleth:2.0:profiles:LocalLogout">
<ph:RequestPath>/Logout</ph:RequestPath>
</ph:ProfileHandler>
...
<rp:RelyingPartyGroup xmlns:rp="urn:mace:shibboleth:2.0:relying-party"
xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:niifslo="http://uni-marburg.de/shibboleth/niif-slo"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd
urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd
http://uni-marburg.de/shibboleth/niif-slo classpath:/schema/niifslo-schema.xsd">
...
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.com/idp/profile/SAML2/Redirect/SLO" />
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.com/idp/profile/SAML2/POST/SLO" />
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.com:8443/idp/profile/SAML2/SOAP/SLO" />
7) In your webapp/WEB-INF/web.xml , look for "IdPSessionFilter" and add the following lines right below the </filter-mapping> node:
<!-- Add IdP SLO Context object to incoming profile requests -->
<filter>
<filter-name>SLOContextFilter</filter-name>
<filter-class>unimr.shib2.niifslo.SLOContextFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SLOContextFilter</filter-name>
<url-pattern>/profile/SAML2/SOAP/SLO</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>SLOContextFilter</filter-name>
<url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>SLOContextFilter</filter-name>
<url-pattern>/profile/SAML2/POST/SLO</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>SLOContextFilter</filter-name>
<url-pattern>/SLOServlet</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<!-- END of SLO Context Filter -->
Then, look for "/AuthnEngine" and add the following lines right below the </servlet-mapping> node:
<!-- SLO Servlet -->
<servlet>
<servlet-name>SLOServlet</servlet-name>
<servlet-class>unimr.shib2.niifslo.SLOServlet</servlet-class>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SLOServlet</servlet-name>
<url-pattern>/SLOServlet</url-pattern>
</servlet-mapping>
<!-- Servlet for IdP - initiated Logout -->
<servlet>
<servlet-name>LogoutServlet</servlet-name>
<servlet-class>unimr.shib2.niifslo.LogoutServlet</servlet-class>
<init-param>
<!-- Path for front-channel single logout profile handler -->
<param-name>profileHandlerPath</param-name>
<param-value>/profile/SAML2/Redirect/SLO</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>LogoutServlet</servlet-name>
<url-pattern>/Logout</url-pattern>
</servlet-mapping>
8) Reinstall your Shibboleth IdP by calling the appropriate install.sh file.
...