...
Hide if |
---|
special | @anonymous |
---|
group | confluence-users |
---|
|
Advanced OptionsEven SPs that support requesting logout may not support receiving them, and many SPs may not care about responses to their requests. In such cases, it is advantageous to simple remove the <md:SingleLogoutService> endpoints from their metadata. Unfortunately this fails due to the IdP's requirement to try and issue a response in most cases, and results in an error. A new option has been added in V4.2+, a property named idp.logout.assumeAsync, to allow requests to be treated as though they carried the <aslo:Asynchronous> extension element, which tells the IdP that no response is needed. This allows the removal of endpoints from SP metadata to be an effective means of mitigating such problems with SPs by allowing inbound logout to the IdP while preventing outbound logout. A bean is also exposed in V4.2+ to allow message level encryption of <NameID> values to be suppressed based on Format . This is primarily suported to improve efficiency, given that many SPs rely on the urn:oasis:names:tc:SAML:2.0:nameid-format:transient format, which isn't all that important to encrypt. A typical bean definition in conf/global.xml: |
Administrative Logout 4.3
V4.3 adds a long-requested capability to log out sessions administratively. Right now this capability is confined to the IdP session (and that’s all that will ever be practical) and is implemented by means of revoking the authentication state of a subject. See AdministrativeLogoutConfiguration.
Reference
Expand |
---|
|
Name | Type | Default | Description |
---|
idp.session.trackSPSessions | Boolean | false | Whether to store references to SP sessions in the IdP session to support logout propagation | idp.session.secondaryServiceIndex | Boolean | false | Whether to store NameID backreferences in the IdP session to support SAML 2.0 logout | idp.logout.elaboration | Boolean | false | Whether to search metadata for user interface information associated with every service involved in logout propagation | idp.logout.authenticated | Boolean | true | Whether to require signed logout messages in accordance with the SAML 2.0 standard | idp.logout.promptUser | Bean ID of Predicate<ProfileRequestContext> | false | If the bean returns true, the user is given the option to actually cancel the IdP logout outright and prevent removal of the session | idp.artifact.enabled | Boolean | true | Controls use of HTTP-Artifact binding for outbound logout messages | idp.logout.preserveQuery 4.1 | Boolean | false | Processes arbitrary query parameters to the Simple Logout endpoint and stashes them in a ScratchContext for use by subsequent view logic | idp.logout.assumeAsync 4.2 | Boolean | false | When true, allows inbound SAML LogoutRequests to be processed even if the SP lacks metadata containing response endpoints | idp.logout.propagationHidden 4.2 | Boolean | false | Applies the "display:none" style to the list of SPs and logout status reporting images so that logout status is not visibly reported to the user | idp.soap.httpClient 4.2 | Bean ID of HttpClient to use for SOAP-based logout | SOAPClient.HttpClient | Allows the HttpClient used for SOAP communication to be overriden (applies to SAML logout via SOAP) |
|
...