Logout
- Rod Widdowson
- Scott Cantor
- Takeshi Nishimura
TheĀ <Logout>Ā element is used to enable and configure support for Logout protocols and behavior within the SP. Logout in general can be enabled or disabled by adding or removing it.Ā
TheĀ <Logout>Ā element automates the installation of the appropriate handlers based on the protocols selected for activation.Ā
The use of theĀ <Logout>Ā element results in a basic chain of initiator plugins installed at the recommendedĀ "/Logout"Ā handler location. For advanced scenarios that require additional plugins or options, additional explicitĀ <LogoutInitiator> elements can be added to the end of the surroundingĀ <Sessions>Ā element.
Attributes
Name | Type | Default | Description |
|---|---|---|---|
relayStateĀ | string | OverridesĀ relayStateĀ setting from theĀ <Sessions>Ā element. | |
The following attribute can be specified for the SAML2 protocols | |||
Name | Type | Default | Description |
template | local pathname | An HTML template used during transmission of theĀ <samlp:LogoutRequest>Ā message. | |
outgoingBindings | space delimited URIs | List of SAML binding identifiers that determines the order of preferredĀ <md:SingleLogoutService>Ā bindings to use for the request. If this setting is used, failing to list a binding will prevent the use of an IdP that only supports the omitted binding. | |
postArtifact | boolean | false | If true, the SAML artifact binding is implemented using a form POST rather then a redirect. |
asynchronous | boolean | true | When true, the logout request will contain anĀ extensionĀ signaling that the SP doesn't need a response back. This is used to simplify the typical use case in which the user interface is meant to stay at the IdP after the logout completes. |
Element Content
The content of the element is a whitespace-delimited list of "protocol" identifiers. The following are built-in to the SP:
SAML2
SAML 2.0 Browser Single Logout profile (front- and back-channel)
For more complete information about the exact protocol behavior, see theĀ SingleLogoutService topic.
See alsoĀ SAML2 Sessions ConfigurationsĀ
Local
Local removal of a user's session with no IdP involvement
An additional protocol is supported if the relevent extension is loaded. See also theĀ Local LogoutInitiator topic
ADFS
WS-Federation Passive Interoperability Profile (legacy ADFS)
For more complete information about the exact protocol behavior, see theĀ SingleLogoutServiceĀ opic.
The ADFS handler is only available if theĀ adfs.soĀ extension library is loaded by the SP.
Indicated byĀ type="ADFS", supports Microsoft ADFS "signout" requests. If the user's session was initiated with a protocol other than ADFS, then the handler ignores the request. Otherwise, the initiating entityID is used to check for metadata with anĀ <md:IDPSSODescriptor>Ā role supporting ADFS and a compatibleĀ <md:SingleLogoutService>Ā endpoint. The absence of either causes a warning to be logged and the handler otherwise ignores the request.
A "supporting" IdP's role element has aĀ protocolSupportEnumerationĀ attribute containing the valueĀ "http://schemas.xmlsoap.org/ws/2003/07/secext", with an accompanyingĀ <md:SingleLogoutService>with aĀ BindingĀ ofĀ "http://schemas.xmlsoap.org/ws/2003/07/secext".
If a "return" query string parameter is provided, it will be passed to the home realm STS in a "wreply" parameter.
Whether or not the logout request is successfully issued, the user's session will be removed if at all possible.
Others
Other protocols can be "integrated" with the service-based configuration mechanism by supplying the relevant information via theĀ <ProtocolProvider>Ā plugin interface.
Example
A basic example supporting SAML 2.0 and "localized" logout:
<Logout>SAML2 Local</Logout>Ā