Logout
TheĀ <Logout>
Ā element is used to enable and configure support for Logout protocols and behavior within the SP. Logout in general can be enabled or disabled by adding or removing it.Ā
TheĀ <Logout>
Ā element automates the installation of the appropriate handlers based on the protocols selected for activation.Ā
The use of theĀ <Logout>
Ā element results in a basic chain of initiator plugins installed at the recommendedĀ "/Logout"
Ā handler location. For advanced scenarios that require additional plugins or options, additional explicitĀ <LogoutInitiator> elements can be added to the end of the surroundingĀ <Sessions>Ā element.
Attributes
Name | Type | Default | Description |
---|---|---|---|
relayStateĀ | string | OverridesĀ relayStateĀ setting from theĀ <Sessions>Ā element. | |
The following attribute can be specified for the SAML2 protocols | |||
Name | Type | Default | Description |
template | local pathname | An HTML template used during transmission of theĀ <samlp:LogoutRequest>Ā message. | |
outgoingBindings | space delimited URIs | List of SAML binding identifiers that determines the order of preferredĀ <md:SingleLogoutService>Ā bindings to use for the request. If this setting is used, failing to list a binding will prevent the use of an IdP that only supports the omitted binding. | |
postArtifact | boolean | false | If true, the SAML artifact binding is implemented using a form POST rather then a redirect. |
asynchronous | boolean | true | When true, the logout request will contain anĀ extensionĀ signaling that the SP doesn't need a response back. This is used to simplify the typical use case in which the user interface is meant to stay at the IdP after the logout completes. |
Element Content
The content of the element is a whitespace-delimited list of "protocol" identifiers. The following are built-in to the SP:
SAML2
SAML 2.0 Browser Single Logout profile (front- and back-channel)
For more complete information about the exact protocol behavior, see theĀ SingleLogoutService topic.
See alsoĀ SAML2 Sessions ConfigurationsĀ
Local
Local removal of a user's session with no IdP involvement
An additional protocol is supported if the relevent extension is loaded. See also theĀ Local LogoutInitiator topic
ADFS
WS-Federation Passive Interoperability Profile (legacy ADFS)
For more complete information about the exact protocol behavior, see theĀ SingleLogoutServiceĀ opic.
The ADFS handler is only available if theĀ adfs.so
Ā extension library is loaded by the SP.
Indicated byĀ type="ADFS"
, supports Microsoft ADFS "signout" requests. If the user's session was initiated with a protocol other than ADFS, then the handler ignores the request. Otherwise, the initiating entityID is used to check for metadata with anĀ <md:IDPSSODescriptor>
Ā role supporting ADFS and a compatibleĀ <md:SingleLogoutService>
Ā endpoint. The absence of either causes a warning to be logged and the handler otherwise ignores the request.
A "supporting" IdP's role element has aĀ protocolSupportEnumeration
Ā attribute containing the valueĀ "http://schemas.xmlsoap.org/ws/2003/07/secext"
, with an accompanyingĀ <md:SingleLogoutService>
with aĀ Binding
Ā ofĀ "http://schemas.xmlsoap.org/ws/2003/07/secext"
.
If a "return" query string parameter is provided, it will be passed to the home realm STS in a "wreply" parameter.
Whether or not the logout request is successfully issued, the user's session will be removed if at all possible.
Others
Other protocols can be "integrated" with the service-based configuration mechanism by supplying the relevant information via theĀ <ProtocolProvider>Ā plugin interface.
Example
A basic example supporting SAML 2.0 and "localized" logout:
<Logout>SAML2 Local</Logout>
Ā