Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Current »

Advanced Configuration

Note, this is an advanced configuration feature. Most deployments can rely on the <Logout> shorthand element.

Indicated by type="SAML2", this LogoutInitiator supports SAML 2.0 SP-initiated single logout. If the user's session was initiated with a protocol other than SAML 2, then the handler ignores the request. Otherwise, the initiating entityID is used to check for metadata with an <md:IDPSSODescriptor> role supporting SAML 2.0 and a compatible <md:SingleLogoutService> endpoint. The absence of either causes an INFO-level message to be logged and the handler otherwise ignores the request.

If a "return" query string parameter is provided, it will be preserved via a relay state mechanism.

Whether or not the logout request is successfully issued, the user's session will be removed if at all possible.

Attributes

Common Attributes

The following attributes may be specified for all types of LogoutInitiator

Name

Type

Default

Description

type

string

required

Plugin type name.

Location

relative path

The location of the SessionInitiator (when combined with the base handlerURL).

relayState 

string

Controls how information associated with the session request, primarily the original resource accessed, is preserved for the completion of the authentication process. Overrides the like-named attribute in the <Sessions> element.

signing 

one of
conditional,
true, false, front, back


See Signing&Encryption. Controls outbound signing of XML messages and content subject to applicability to the protocol involved.

encryption 


See Signing&Encryption. Controls outbound encryption of XML messages and content subject to applicability to the protocol involved.

Specific Attributes

Name

Type

Default

Description

template

local pathname


An HTML template used during transmission of the <samlp:LogoutRequest> message

outgoingBindings

space delimited URI list


List of SAML binding identifiers that determines the order of preferred <md:SingleLogoutService> bindings to use for the request. If this setting is used, failing to list a binding will prevent the use of an IdP that only supports the omitted binding.

postArtifact

boolean

false

If true, the SAML artifact binding is implemented using a form POST rather then a redirect.

asynchronous 

boolean

false

When true, the logout request will contain an extension signaling that the SP doesn't need a response back. This is used to simplify the typical use case in which the user interface is meant to stay at the IdP after the logout completes


  • No labels