...
SPs can request a logout using either front- or back-channel SAML bindings (typically HTTP-Redirect on the front, SOAP on the back). The IdP supports reception of either type of request, but use of SOAP obviously requires server-side session state. Propagation to SPs via SOAP when possible is supported more or less automatically, and happens either as part of back-channel processing or as a result of the usual front-channel iframe-based propagation.
Basic Configuration
TheĀ idp.session.secondaryServiceIndex property must be enabled to support SAML logout requests (it is explicitly enabled by default for new installs, but defaults to false).
Another consideration with SAML logout has to do with the length of time the system will "remember" the SP's session, in order to prevent the session cache from growing endlessly. This can't be done precisely because the IdP doesn't actually know how long the SP's own session might last. The idp.session.defaultSPlifetime and idp.session.slop properties control how long the IdP will "remember" an SP's session. Once elapsed, it's likely that a request for logout will fail from any SP that has expired from the cache.
...