Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Advanced Configuration

Note, this is an advanced configuration feature. Most deployments can rely on the <Logout> shorthand element.

The <LogoutInitiator> element is used to configure handlers that are responsible for initiating a logout operation, the termination of a user's session. The handler is responsible for performing protocol-specific tasks related to the logout, as well as terminating the session.

Logout can be "local" or "global". Local logout means that the SP's session is removed, but no communication with the IdP or other SPs is involved (with the caveat that the local logout might redirect to an IdP using some proprietary approach that is outside the scope of our documentation). Global logout implies that the IdP is also informed of the logout operation. The SP software includes user interface support for presenting a different template depending on which kind of logout takes place.

Initiation of logout via this mechanism can only be done by the user that owns the session (by contacting the handler while his/her session is active).

The ability to configure multiple LogoutInitiator handlers, and to combine them in chains, allows the deployer to control the selection of particular global/single logout protocols when more than one can be used, and to ensure that at least a local logout takes place.

Logout initiators are also required to invoke application notification loops during the logout operation. These are configured with the <Notify> element. Note that the actual <Notify> element(s) are configured at the application level, not inside the logout initiator.

Finally, you can supply a parameter named "return" as a query string parameter containing a URL. If logout completes successfully, the SP will redirect the browser to that location.

For some additional guidance, see the at SLOWebappAdaptation topic in the Shibboleth2 wiki.

Types of LogoutInitiators

Specific Initiators are defined by the type= attribute, each type specifies its own attributute as well as the common ones.  Some initiators allow child elements.  The following types are available by default.  More may be added as plugins

Common Attributes

The following attributes may be specified for all types of LogoutInitiator

Name

Type

Default

Description

type

string

required

Plugin type name.

Location

relative path

The location of the SessionInitiator (when combined with the base handlerURL).

relayState 

string

Controls how information associated with the session request, primarily the original resource accessed, is preserved for the completion of the authentication process. Overrides the like-named attribute in the <Sessions> element.

signing 

one of
conditional,
true, false, front, back


See Signing&Encryption. Controls outbound signing of XML messages and content subject to applicability to the protocol involved.

encryption 


See Signing&Encryption. Controls outbound encryption of XML messages and content subject to applicability to the protocol involved.

  • No labels