Relying Party SAML 2 Logout Request Profile Configuration

This profile configuration enables and configures the IdP's limited support for the SAML 2 Single Logout (SLO) profile. This feature is available in V2.4.0 and later.

This is part of, but not the entire, configuration needed with logout support. For a more general overview/example, see the IdPEnableSLO topic.

Basic Configuration

This profile is enabled by adding the <ProfileConfiguration xsi:type="saml:SAML2LogoutRequestProfile"/> element to a <RelyingParty> definition.

Example SAML2 Logout Request Profile Configuration

<ProfileConfiguration xsi:type="saml:SAML2LogoutRequestProfile" signResponses="conditional"/>

In addition, older versions of the IdP do not have the necessary declarations in the handler.xml file to support the profile endpoints for this feature. To fix this, you will need to add in changes that have occurred between your version of handler.xml and the newer default version. The XML involved is embedded below.

Additions to handler.xml for logout profile support

     <ProfileHandler xsi:type="SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <RequestPath>/SAML2/Redirect/SLO</RequestPath>
    </ProfileHandler>

    <ProfileHandler xsi:type="SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <RequestPath>/SAML2/POST/SLO</RequestPath>
    </ProfileHandler>

    <ProfileHandler xsi:type="SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <RequestPath>/SAML2/POST-SimpleSign/SLO</RequestPath>
    </ProfileHandler>

    <ProfileHandler xsi:type="SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
        <RequestPath>/SAML2/SOAP/SLO</RequestPath>
    </ProfileHandler>

    <ProfileHandler xsi:type="SAML2SLO" inboundBinding="urn:mace:shibboleth:2.0:profiles:LocalLogout">
        <RequestPath>/Logout</RequestPath>
    </ProfileHandler>

Advanced Configuration

The SAML2 Logout Request profile configuration supports the following advanced configuration attributes:

signResponses - see Configuring XML Signature and Encryption

In addition, there are advanced options available that you can add to the <ProfileHandler> element(s) in handler.xml that affect how the logout profile handler generates its output. By default, it will use a JSP template called logout.jsp that lives inside the WAR file. You can change this to support Velocity as a template language by adding the following XML attributes:

templatePath - sets the path or filename of the template to use if other than logout.jsp
velocityEngine - reference to a Velocity Engine Spring bean defined in internal.xml or a supplemental Spring configuration file

If you want to use a template that lives outside the WAR file, you would need to define your own custom Velocity instance, or extend the one defined in internal.xml with support for locating templates in the filesystem.

Metadata

IdP versions that support this profile handler include <SingleLogoutService> endpoints in the generated metadata created at installation time. They would need to be manually added to older versions if you are sharing metadata directly.

Browser not supported