The <md:SingleLogoutService>
element is used to configure handlers that are responsible for processing logout protocol messages from an IdP. These are protocol specific, but generally fall into two classes: requests, which tell the SP to perform a logout, and responses, which conclude a logout event initiated by the SP.
As a multi-protocol system, the SP itself is oblivious to specific logout protocols; each handler provides the implementation of a particular logout protocol.
Location
(relative path)Binding
(URI)signing
(namespace-qualified by urn:mace:shibboleth:2.0:native:sp:config
) (see NativeSPSigningEncryption) (Version 2.6 and Above)encryption
(namespace-qualified by urn:mace:shibboleth:2.0:native:sp:config
) (see NativeSPSigningEncryption) (Version 2.6 and Above)The SAML 2.0 logout handler implements the SAML 2.0 Browser Single Logout profile. The incoming message may be a <samlp:LogoutRequest>
or <samlp:LogoutResponse>
.
If the message is a request via a front-channel binding, then the following steps are performed. If an error occurs at any point, an effort is made to respond to the requesting IdP with a <samlp:LogoutResponse>
containing the error.
<samlp:LogoutResponse>
is returned to the requesting IdP. The status indicates whether the SP believes that the logout completely succeeded.If the message is a request via a back-channel binding, then the following steps are performed:
<samlp:LogoutResponse>
is returned to the requesting IdP. The status indicates whether the SP believes that the logout completely succeeded.If the message is a response, then the SP completes the logout operation by redirecting to the browser to a location preserved by relay state, if any, or the globalLogout
template is displayed.
The following Binding
values are supported:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
urn:oasis:names:tc:SAML:2.0:bindings:SOAP
The ADFS handler is only available if the |
The ADFS handler implements the Microsoft ADFS signout protocol. The following steps are performed:
globalLogout
template is displayed.The following Binding
values are supported:
http://schemas.xmlsoap.org/ws/2003/07/secext