Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If the user chooses SLO, the logout-propagate.vm view is rendered and the browser mediates (i.e. front-channel) a series of logout messages coordinated via iframes, javascript, and in some cases HTML5 storage. The result is a best-effort attempt to explicitly end each relying party session by sending a protocol-specific message to each service endpoint. In the IdP configuration, the SLO messaging process is called propagation. The

If configured to do so, the IdP attempts to display prominent status information on the result of each attempt to end a relying party session; a red X for failure or a green checkbox for success. This is typically quite limited in accuracy, and many false positives or negatives should be expected. We do not in general recommend displaying this to users, but have not (yet) deprecated support for displaying it.

If the user chooses to end without SLO, logout-complete.vm is rendered and a message is displayed indicating that some relying party sessions may still be active.

By default, the IdP session is terminated regardless of the user's choice. In other words, the question asked is "propagate or not?" rather than "logout or not?". The idp.logout.promptUser property can be set to a Predicate bean that allows the user to make a cancel decision.

Configuration

The idp.session.trackSPSessions property must be enabled to support the SLO propagation feature (it is explicitly enabled by default for new installs but defaults to false).

...

The design of the logout feature does not support returning control of the user agent to any other system via a "return" parameter or similar mechanism. While this remains officially unsupported, the idp.logout.preserveQuery property can be set to true to cause any parameters on the original request to be preserved and made accessible via a ScratchContext object underneath the ProfileRequestContext.

...

The SLO feature requires a fair bit of mature Javascript support, but any browser that supports HTML5 LocalStorage should work (this use of LocalStorage is independent of the choice of storage service, and it applies even when server-side storage is used). While the SLO implementation is based on modern Web standards, browser features vary so greatly that it's hard to identify minimum browser requirements.

Troubleshooting

Since Logout Because the logout propagation feature - as far as the front-channel support is concerned - uses Javascript, all communication with the SPs can be traced in the Web browser. To this end, both the SAML tracer (Firefox Plugin) and the Javascript console in most browsers' developer tools can be helpful in troubleshooting. Common errors can be:

  • The SP’s web Server hat server has set the X-Frame-Options to “sameorigin”, or similar CSP features, which will make generally cause the SLO response from SP exchange to IdP fail.

SAML Logout

SAML Logout is a more complex protocol than the simple variant described above, but the implementation is shared across the two approaches. There are really two "halves" to this:

...