...
The UI is also, to our understanding, not accessible and is apparently impossible to make accessible. Whether true or not, it definitely is not by default and no fixes for this have been provided. It is believed that hiding the propagation status reporting is accessible, and a the idp.logout.propagationHidden 4.2 property exists in V4.2+ to hide this reporting from the user both for accessibility and because of the large number of false positives and negatives that are typically encountered.
...
SPs can request a logout using either front- or back-channel SAML bindings (typically HTTP-Redirect on the front, SOAP on the back). The IdP supports reception of either type of request, but use of SOAP obviously requires server-side session state. Propagation to SPs via SOAP when possible is supported more or less automatically, and happens either as part of back-channel processing or as a result of the usual front-channel iframe-based propagation.
Basic Configuration
The idp.session.secondaryServiceIndex property must be enabled to support SAML logout requests (it is explicitly enabled by default for new installs, but defaults to false).
Another consideration with SAML logout has to do with the length of time the system will "remember" the SP's session, in order to prevent the session cache from growing endlessly. This can't be done precisely because the IdP doesn't actually know how long the SP's own session might last. The idp.session.defaultSPlifetime and idp.session.slop properties control how long the IdP will "remember" an SP's session. Once elapsed, it's likely that a request for logout will fail from any SP that has expired from the cache.
...
| Expand |
|---|
|
Name | Type | Default | Description |
|---|
idp.session.trackSPSessions | Boolean | false | Whether to store references to SP sessions in the IdP session to support logout propagation | idp.session.secondaryServiceIndex | Boolean | false | Whether to store NameID backreferences in the IdP session to support SAML 2.0 logout | idp.logout.elaboration | Boolean | false | Whether to search metadata for user interface information associated with every service involved in logout propagation | idp.logout.authenticated | Boolean | true | Whether to require signed logout messages in accordance with the SAML 2.0 standard | idp.logout.promptUser | Bean ID of Predicate<ProfileRequestContext> | false | If the bean returns true, the user is given the option to actually cancel the IdP logout outright and prevent removal of the session | idp.artifact.enabled | Boolean | true | Controls use of HTTP-Artifact binding for outbound logout messages | idp.logout.preserveQuery 4.1 | Boolean | false | Processes arbitrary query parameters to the Simple Logout endpoint and stashes them in a ScratchContext for use by subsequent view logic | idp.logout.assumeAsync 4.2 | Boolean | false | When true, allows inbound SAML LogoutRequests to be processed even if the SP lacks metadata containing response endpoints | idp.logout.propagationHidden 4.2 | Boolean | false | Applies the "display:none" style to the list of SPs and logout status reporting images so that logout status is not visibly reported to the user | idp.soap.httpClient 4.2 | Bean ID of HttpClient to use for SOAP-based logout | SOAPClient.HttpClient | Allows the HttpClient used for SOAP communication to be overriden (applies to SAML logout via SOAP) |
|
| Expand |
|---|
|
The following may be defined in conf/global.xml if needed. Name | Type | Default | Description |
|---|
shibboleth.PlaintextNameIDFormats 4.2 | Set<String> | urn:oasis:names:tc:SAML:2.0:nameid-format:entity | Set of <NameID> Formats which need not be encrypted in messages, notwithstanding other settings |
|
...