IdPSAML2LogoutRequestProfileConfig
Relying Party SAML 2 Logout Request Profile Configuration
This profile configuration enables and configures the IdP's limited support for the SAML 2 Single Logout (SLO) profile. This feature is available in V2.4.0 and later.
This is part of, but not the entire, configuration needed with logout support. For a more general overview/example, see the IdPEnableSLOÂ topic.
Basic Configuration
This profile is enabled by adding the <ProfileConfiguration xsi:type="saml:SAML2LogoutRequestProfile"/>
element to a <RelyingParty>
definition.
<ProfileConfiguration xsi:type="saml:SAML2LogoutRequestProfile" signResponses="conditional"/>
In addition, older versions of the IdP do not have the necessary declarations in the handler.xml file to support the profile endpoints for this feature. To fix this, you will need to add in changes that have occurred between your version of handler.xml and the newer default version. The XML involved is embedded below.
Advanced Configuration
The SAML2 Logout Request profile configuration supports the following advanced configuration attributes:
- signResponses - see Configuring XML Signature and Encryption
In addition, there are advanced options available that you can add to the <ProfileHandler> element(s) in handler.xml that affect how the logout profile handler generates its output. By default, it will use a JSP template called logout.jsp that lives inside the WAR file. You can change this to support Velocity as a template language by adding the following XML attributes:
- templatePath - sets the path or filename of the template to use if other than logout.jsp
- velocityEngine - reference to a Velocity Engine Spring bean defined in internal.xml or a supplemental Spring configuration file
If you want to use a template that lives outside the WAR file, you would need to define your own custom Velocity instance, or extend the one defined in internal.xml with support for locating templates in the filesystem.
Metadata
IdP versions that support this profile handler include <SingleLogoutService>
endpoints in the generated metadata created at installation time. They would need to be manually added to older versions if you are sharing metadata directly.