Advanced Configuration
Note, this is an advanced configuration feature. Most deployments can rely on the <Logout> shorthand element.
Indicated by type="SAML2"
, this LogoutInitiator supports SAML 2.0 SP-initiated single logout. If the user's session was initiated with a protocol other than SAML 2, then the handler ignores the request. Otherwise, the initiating entityID is used to check for metadata with an <md:IDPSSODescriptor>
role supporting SAML 2.0 and a compatible <md:SingleLogoutService>
endpoint. The absence of either causes an INFO-level message to be logged and the handler otherwise ignores the request.
If a "return" query string parameter is provided, it will be preserved via a relay state mechanism.
Whether or not the logout request is successfully issued, the user's session will be removed if at all possible.
Attributes
Common Attributes
The following attributes may be specified for all types of LogoutInitiator
Name | Type | Default | Description |
---|---|---|---|
type | string | required | Plugin type name. |
Location | relative path | The location of the SessionInitiator (when combined with the base handlerURL). | |
relayState | string | Controls how information associated with the session request, primarily the original resource accessed, is preserved for the completion of the authentication process. Overrides the like-named attribute in the <Sessions> element. | |
signing | one of | See Signing&Encryption. Controls outbound signing of XML messages and content subject to applicability to the protocol involved. | |
encryption | See Signing&Encryption. Controls outbound encryption of XML messages and content subject to applicability to the protocol involved. |
Specific Attributes
Name | Type | Default | Description |
---|---|---|---|
template | local pathname | An HTML template used during transmission of the <samlp:LogoutRequest> message | |
outgoingBindings | space delimited URI list | List of SAML binding identifiers that determines the order of preferred <md:SingleLogoutService> bindings to use for the request. If this setting is used, failing to list a binding will prevent the use of an IdP that only supports the omitted binding. | |
postArtifact | boolean | false | If true, the SAML artifact binding is implemented using a form POST rather then a redirect. |
asynchronous | boolean | false | When true, the logout request will contain an extension signaling that the SP doesn't need a response back. This is used to simplify the typical use case in which the user interface is meant to stay at the IdP after the logout completes |