Logout
The <Logout> element is used to enable and configure support for Logout protocols and behavior within the SP. Logout in general can be enabled or disabled by adding or removing it.
The <Logout> element automates the installation of the appropriate handlers based on the protocols selected for activation.
The use of the <Logout> element results in a basic chain of initiator plugins installed at the recommended "/Logout" handler location. For advanced scenarios that require additional plugins or options, additional explicit <LogoutInitiator> elements can be added to the end of the surrounding <Sessions> element.
Attributes
Name | Type | Default | Description |
|---|---|---|---|
relayState | string | Overrides relayState setting from the <Sessions> element. | |
The following attribute can be specified for the SAML2 protocols | |||
Name | Type | Default | Description |
template | local pathname | An HTML template used during transmission of the <samlp:LogoutRequest> message. | |
outgoingBindings | space delimited URIs | List of SAML binding identifiers that determines the order of preferred <md:SingleLogoutService> bindings to use for the request. If this setting is used, failing to list a binding will prevent the use of an IdP that only supports the omitted binding. | |
postArtifact | boolean | false | If true, the SAML artifact binding is implemented using a form POST rather then a redirect. |
asynchronous | boolean | true | When true, the logout request will contain an extension signaling that the SP doesn't need a response back. This is used to simplify the typical use case in which the user interface is meant to stay at the IdP after the logout completes. |
Element Content
The content of the element is a whitespace-delimited list of "protocol" identifiers. The following are built-in to the SP:
SAML2
SAML 2.0 Browser Single Logout profile (front- and back-channel)
For more complete information about the exact protocol behavior, see the SingleLogoutService topic.
See also SAML2 Sessions Configurations
Local
Local removal of a user's session with no IdP involvement
An additional protocol is supported if the relevent extension is loaded. See also the Local LogoutInitiator topic
ADFS
WS-Federation Passive Interoperability Profile (legacy ADFS)
For more complete information about the exact protocol behavior, see the SingleLogoutService opic.
The ADFS handler is only available if the adfs.so extension library is loaded by the SP.
Indicated by type="ADFS", supports Microsoft ADFS "signout" requests. If the user's session was initiated with a protocol other than ADFS, then the handler ignores the request. Otherwise, the initiating entityID is used to check for metadata with an <md:IDPSSODescriptor> role supporting ADFS and a compatible <md:SingleLogoutService> endpoint. The absence of either causes a warning to be logged and the handler otherwise ignores the request.
A "supporting" IdP's role element has a protocolSupportEnumeration attribute containing the value "http://schemas.xmlsoap.org/ws/2003/07/secext", with an accompanying <md:SingleLogoutService>with a Binding of "http://schemas.xmlsoap.org/ws/2003/07/secext".
If a "return" query string parameter is provided, it will be passed to the home realm STS in a "wreply" parameter.
Whether or not the logout request is successfully issued, the user's session will be removed if at all possible.
Others
Other protocols can be "integrated" with the service-based configuration mechanism by supplying the relevant information via the <ProtocolProvider> plugin interface.
Example
A basic example supporting SAML 2.0 and "localized" logout:
<Logout>SAML2 Local</Logout>