SAML 2.0 SingleLogoutService

Advanced Configuration

Note, this is an advanced configuration feature. Most deployments can rely on the shorthand elements.

The SAML 2.0 logout handler implements the SAML 2.0 Browser Single Logout profile. The incoming message may be aĀ <samlp:LogoutRequest>Ā orĀ <samlp:LogoutResponse>.

If the message is a request via a front-channel binding, then the following steps are performed. If an error occurs at any point, an effort is made to respond to the requesting IdP with aĀ <samlp:LogoutResponse>containing the error.

  1. Verification of the information in the request against the active session is done.

  2. Any of this user's sessions being logged out other than the active session are removed from the cache.

  3. Front and back-channelĀ application notificationĀ loops are executed.

  4. AĀ <samlp:LogoutResponse>Ā is returned to the requesting IdP. The status indicates whether the SP believes that the logout completely succeeded.

If the message is a request via a back-channel binding, then the following steps are performed:

  1. The request content is used to obtain a list of applicable sessions to remove.

  2. The sessions are removed.

  3. The back-channelĀ application notificationĀ loop is executed.

  4. AĀ <samlp:LogoutResponse>Ā is returned to the requesting IdP. The status indicates whether the SP believes that the logout completely succeeded.

If the message is a response, then the SP completes the logout operation by redirecting to the browser to a location preserved by relay state, if any, or theĀ globalLogoutĀ template is displayed.

The followingĀ BindingĀ values are supported:

  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign

  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

  • urn:oasis:names:tc:SAML:2.0:bindings:SOAP

Attributes