Advanced Configuration
Note, this is an advanced configuration feature. Most deployments can rely on the shorthand elements.
The ADFS handler is only available if the adfs.so
extension library is loaded by the SP.
Generally this handler need not be configured directly, because ADFS requires that it be co-located with the endpoint responsible for incoming assertions.
The ADFS handler implements the Microsoft ADFS signout protocol. The following steps are performed:
- Front and back-channel application notification loops are executed.
- The active session is removed from the cache.
- If a "wreply" parameter is provided, the browser is redirected to it.
- Otherwise, the
globalLogout
template is displayed.
The following Binding
values are supported:
Attributes
The following may be specified for all Single Logout protocols and bindings
Name | Type | Req? | Default | Description |
---|---|---|---|---|
Location | relative path | Y | The location of the handler (when combined with the base handlerURL). This is the location to which an IdP sends messages using whatever protocol and binding it shares with the SP. Each combination of SLO protocol and binding is installed at a unique location to improve efficiency. | |
Binding | URI | Y | Identifies the protocol binding supported by the handler. Bindings describe how the message is packaged by the IdP (or by the browser in some cases) for consumption by the handler. | |
notifyWithoutSession 3.1 | Boolean | false | When true, the front-channel notification feature is enabled even when an incoming SAML LogoutRequest message is not accompanied by the session cookie for the active session | |
signing | one of conditional, true, false, front, back | See Signing&Encryption. Controls outbound signing of XML messages and content subject to applicability to the protocol involved. | ||
encryption | See Signing&Encryption. Controls outbound encryption of XML messages and content subject to applicability to the protocol involved. |