Note, this is an advanced configuration feature. Most deployments can rely on the shorthand elements. |
The SAML 2.0 logout handler implements the SAML 2.0 Browser Single Logout profile. The incoming message may be a <samlp:LogoutRequest>
or <samlp:LogoutResponse>
.
If the message is a request via a front-channel binding, then the following steps are performed. If an error occurs at any point, an effort is made to respond to the requesting IdP with a <samlp:LogoutResponse>
containing the error.
<samlp:LogoutResponse>
is returned to the requesting IdP. The status indicates whether the SP believes that the logout completely succeeded.If the message is a request via a back-channel binding, then the following steps are performed:
<samlp:LogoutResponse>
is returned to the requesting IdP. The status indicates whether the SP believes that the logout completely succeeded.If the message is a response, then the SP completes the logout operation by redirecting to the browser to a location preserved by relay state, if any, or the globalLogout
template is displayed.
The following Binding
values are supported:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
urn:oasis:names:tc:SAML:2.0:bindings:SOAP