Logout

TheĀ <Logout>Ā element is used to enable and configure support for Logout protocols and behavior within the SP. Logout in general can be enabled or disabled by adding or removing it.Ā 

TheĀ <Logout>Ā element automates the installation of the appropriate handlers based on the protocols selected for activation.Ā 

The use of theĀ <Logout>Ā element results in a basic chain of initiator plugins installed at the recommendedĀ "/Logout"Ā handler location. For advanced scenarios that require additional plugins or options, additional explicitĀ <LogoutInitiator> elements can be added to the end of the surroundingĀ <Sessions>Ā element.

Attributes

Name

Type

Default

Description

Name

Type

Default

Description

relayStateĀ 

string



OverridesĀ relayStateĀ setting from theĀ <Sessions>Ā element.

The following attribute can be specified for the SAML2 protocols

Name

Type

Default

Description

template

local pathname



An HTML template used during transmission of theĀ <samlp:LogoutRequest>Ā message.

outgoingBindings

space delimited URIs



List of SAML binding identifiers that determines the order of preferredĀ <md:SingleLogoutService>Ā bindings to use for the request. If this setting is used, failing to list a binding will prevent the use of an IdP that only supports the omitted binding.

postArtifact

boolean

false

If true, the SAML artifact binding is implemented using a form POST rather then a redirect.

asynchronous

boolean

true

When true, the logout request will contain anĀ extensionĀ signaling that the SP doesn't need a response back. This is used to simplify the typical use case in which the user interface is meant to stay at the IdP after the logout completes.

Element Content

The content of the element is a whitespace-delimited list of "protocol" identifiers. The following are built-in to the SP:

SAML2

SAML 2.0 Browser Single Logout profile (front- and back-channel)

For more complete information about the exact protocol behavior, see theĀ SingleLogoutService topic.

See alsoĀ SAML2 Sessions ConfigurationsĀ 

Local

Local removal of a user's session with no IdP involvement

An additional protocol is supported if the relevent extension is loaded. See also theĀ Local LogoutInitiator topic

ADFS

WS-Federation Passive Interoperability Profile (legacy ADFS)

For more complete information about the exact protocol behavior, see theĀ SingleLogoutServiceĀ opic.

The ADFS handler is only available if theĀ adfs.soĀ extension library is loaded by the SP.

Indicated byĀ type="ADFS", supports Microsoft ADFS "signout" requests. If the user's session was initiated with a protocol other than ADFS, then the handler ignores the request. Otherwise, the initiating entityID is used to check for metadata with anĀ <md:IDPSSODescriptor>Ā role supporting ADFS and a compatibleĀ <md:SingleLogoutService>Ā endpoint. The absence of either causes a warning to be logged and the handler otherwise ignores the request.

A "supporting" IdP's role element has aĀ protocolSupportEnumerationĀ attribute containing the valueĀ "http://schemas.xmlsoap.org/ws/2003/07/secext", with an accompanyingĀ <md:SingleLogoutService>with aĀ BindingĀ ofĀ "http://schemas.xmlsoap.org/ws/2003/07/secext".

If a "return" query string parameter is provided, it will be passed to the home realm STS in a "wreply" parameter.

Whether or not the logout request is successfully issued, the user's session will be removed if at all possible.

Others

Other protocols can be "integrated" with the service-based configuration mechanism by supplying the relevant information via theĀ <ProtocolProvider>Ā plugin interface.

Example

A basic example supporting SAML 2.0 and "localized" logout:

<Logout>SAML2 Local</Logout>

Ā