SAML2 LogoutInitiator
Advanced Configuration
Note, this is an advanced configuration feature. Most deployments can rely on the <Logout> shorthand element.
Indicated by type="SAML2", this LogoutInitiator supports SAML 2.0 SP-initiated single logout. If the user's session was initiated with a protocol other than SAML 2, then the handler ignores the request. Otherwise, the initiating entityID is used to check for metadata with an <md:IDPSSODescriptor> role supporting SAML 2.0 and a compatible <md:SingleLogoutService> endpoint. The absence of either causes an INFO-level message to be logged and the handler otherwise ignores the request.
If a "return" query string parameter is provided, it will be preserved via a relay state mechanism.
Whether or not the logout request is successfully issued, the user's session will be removed if at all possible.
Attributes
Common Attributes
Specific Attributes
Name | Type | Default | Description |
|---|---|---|---|
template | local pathname |
| An HTML template used during transmission of the <samlp:LogoutRequest> message |
outgoingBindings | space delimited URI list | List of SAML binding identifiers that determines the order of preferred <md:SingleLogoutService> bindings to use for the request. If this setting is used, failing to list a binding will prevent the use of an IdP that only supports the omitted binding. | |
postArtifact | boolean | false | If true, the SAML artifact binding is implemented using a form POST rather then a redirect. |
asynchronous | boolean | false | When true, the logout request will contain an extension signaling that the SP doesn't need a response back. This is used to simplify the typical use case in which the user interface is meant to stay at the IdP after the logout completes |