ADFS LogoutInitiator
- Rod Widdowson
Advanced Configuration
Note, this is an advanced configuration feature. Most deployments can rely on the <Logout> shorthand element.
Indicated by type="ADFS", this LogoutInitiator supports Microsoft ADFS "signout" requests. If the user's session was initiated with a protocol other than ADFS, then the handler ignores the request. Otherwise, the initiating entityID is used to check for metadata with an <md:IDPSSODescriptor> role supporting ADFS and a compatible <md:SingleLogoutService> endpoint. The absence of either causes a warning to be logged and the handler otherwise ignores the request.
A "supporting" IdP's role element has a protocolSupportEnumeration attribute containing the value "http://schemas.xmlsoap.org/ws/2003/07/secext", with an accompanying <md:SingleLogoutService>with a Binding of "http://schemas.xmlsoap.org/ws/2003/07/secext".
If a "return" query string parameter is provided, it will be passed to the home realm STS in a "wreply" parameter.
Whether or not the logout request is successfully issued, the user's session will be removed if at all possible.