Logout

The <Logout> element is used to enable and configure support for Logout protocols and behavior within the SP. Logout in general can be enabled or disabled by adding or removing it. 

The <Logout> element automates the installation of the appropriate handlers based on the protocols selected for activation. 

The use of the <Logout> element results in a basic chain of initiator plugins installed at the recommended "/Logout" handler location. For advanced scenarios that require additional plugins or options, additional explicit <LogoutInitiator> elements can be added to the end of the surrounding <Sessions> element.

Attributes

NameTypeDefaultDescription

relayState 

string

Overrides relayState setting from the <Sessions> element.

The following attribute can be specified for the SAML2 protocols
NameTypeDefaultDescription

template

local pathname

An HTML template used during transmission of the <samlp:LogoutRequest> message.

outgoingBindingsspace delimited URIs
List of SAML binding identifiers that determines the order of preferred <md:SingleLogoutService> bindings to use for the request. If this setting is used, failing to list a binding will prevent the use of an IdP that only supports the omitted binding.
postArtifactbooleanfalseIf true, the SAML artifact binding is implemented using a form POST rather then a redirect.
asynchronousbooleantrue

When true, the logout request will contain an extension signaling that the SP doesn't need a response back. This is used to simplify the typical use case in which the user interface is meant to stay at the IdP after the logout completes.

Element Content

The content of the element is a whitespace-delimited list of "protocol" identifiers. The following are built-in to the SP:

SAML2

SAML 2.0 Browser Single Logout profile (front- and back-channel)

For more complete information about the exact protocol behavior, see the SingleLogoutService topic.

See also SAML2 Sessions Configurations 

Local

Local removal of a user's session with no IdP involvement

An additional protocol is supported if the relevent extension is loaded. See also the Local LogoutInitiator topic

ADFS

WS-Federation Passive Interoperability Profile (legacy ADFS)

For more complete information about the exact protocol behavior, see the SingleLogoutService opic.

The ADFS handler is only available if the adfs.so extension library is loaded by the SP.

Indicated by type="ADFS", supports Microsoft ADFS "signout" requests. If the user's session was initiated with a protocol other than ADFS, then the handler ignores the request. Otherwise, the initiating entityID is used to check for metadata with an <md:IDPSSODescriptor> role supporting ADFS and a compatible <md:SingleLogoutService> endpoint. The absence of either causes a warning to be logged and the handler otherwise ignores the request.

A "supporting" IdP's role element has a protocolSupportEnumeration attribute containing the value "http://schemas.xmlsoap.org/ws/2003/07/secext", with an accompanying <md:SingleLogoutService>with a Binding of "http://schemas.xmlsoap.org/ws/2003/07/secext".

If a "return" query string parameter is provided, it will be passed to the home realm STS in a "wreply" parameter.

Whether or not the logout request is successfully issued, the user's session will be removed if at all possible.

Others

Other protocols can be "integrated" with the service-based configuration mechanism by supplying the relevant information via the <ProtocolProvider> plugin interface.

Example

A basic example supporting SAML 2.0 and "localized" logout:

<Logout>SAML2 Local</Logout>