SAML2 LogoutInitiator

 

Advanced Configuration

Note, this is an advanced configuration feature. Most deployments can rely on the <Logout> shorthand element.

Indicated by type="SAML2", this LogoutInitiator supports SAML 2.0 SP-initiated single logout. If the user's session was initiated with a protocol other than SAML 2, then the handler ignores the request. Otherwise, the initiating entityID is used to check for metadata with an <md:IDPSSODescriptor> role supporting SAML 2.0 and a compatible <md:SingleLogoutService> endpoint. The absence of either causes an INFO-level message to be logged and the handler otherwise ignores the request.

If a "return" query string parameter is provided, it will be preserved via a relay state mechanism.

Whether or not the logout request is successfully issued, the user's session will be removed if at all possible.

Attributes

Common Attributes

Specific Attributes

Name

Type

Default

Description

Name

Type

Default

Description

template

local pathname

 

An HTML template used during transmission of the <samlp:LogoutRequest> message

outgoingBindings

space delimited URI list



List of SAML binding identifiers that determines the order of preferred <md:SingleLogoutService> bindings to use for the request. If this setting is used, failing to list a binding will prevent the use of an IdP that only supports the omitted binding.

postArtifact

boolean

false

If true, the SAML artifact binding is implemented using a form POST rather then a redirect.

asynchronous 

boolean

false

When true, the logout request will contain an extension signaling that the SP doesn't need a response back. This is used to simplify the typical use case in which the user interface is meant to stay at the IdP after the logout completes