Versions Compared

Old Version 5

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 6

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Currently there are three "events" that cause notifications:

  • logout/end of a session

  • a change to a user's SAML <NameID> value sent from an IdP

  • the termination of a user's SAML <NameID> value (a deprovisioning event)

There are also two kinds of notifications, "front-channel" and "back-channel", but only logout events support front-channel notifications in the current implementation.

For some (elderly) guidelines how to adapt a web application in order to support Single Log Out (SLO), you can also have a look at SLOWebappAdaptation in the Shibboleth2 wiki.

Table of Contents

Attributes

Name

Type

Default

Description

Channel

"front" or "back"

required

Identifies the method of notification.

Location 

Location 

absolute URL


The URL to send the notification message to.

Front-Channel Notifications

...

The front-channel "protocol" is a redirection to the endpoint with a query string containing the following parameters

parameter

Description

action

Currently only the value "logout" is possible.

return

The URL to redirect the browser to when finished processing the event. The

application MUST send

application MUST send the browser here to prevent problems during single logout.

Back-Channel Notifications

...

Logout event notification uses the <notify:LogoutNotification> element with the following additions:

Attributes

Name

Type

Description

type 

type 

"local" or "global"

Indicates the type of logout event. Local logout is confined to the SP, while global logout involves the IdP as well.

Child Elements

Name

Cardinality

Description

<SessionID> 

<SessionID> 

one or more

The ID of a session being logged out. The application is responsible for connecting the SP's session ID to its own state.


NameID Management Events

NameID management event notification uses the <notify:NameIDNotification> element.

element with the following additions:

Child Elements

Name

Cardinality

Description

<saml:

NameID> 

NameID> 

required

The original identifier associated with the user.

<samlp:

NewID> or 

NewID> or 
<samlp:

Terminate> 

Terminate> 

one or other

The new identifier to associate with the user, or the termination notice. These elements come directly from the SAML protocol schema and are simply copied from the actual protocol message