- LogoutRequest issued by SP to IDP
- IDP determines authenticated SPs for given user session. If there are no SPs, other than the SP who sends logout request, the profile proceeds with step 5.
Otherwise, steps 3 and 4 are repeated for each SP - LogoutRequest issued by IDP to SP
- SP issues LogoutResponse to IDP
- IDP issues LogoutResponse to SP who sends logout request
SAML User Scenarios : Page 2 (Logout)
LogoutRequest is extend from RequestAbstractType.
There are some attributes that must be in the RequestAbstractType element
- ID – An identifier for the request. This must be unique. Basically a random number.
- Version – Indicate SAML version
- IssueInstant – Time instant of issue of the request. The time value is encoded in UTC
- Apart from that, One of following is a required attribute for LogoutRequest request…
- BaseID or NameID or EncryptedID
This indicate the principle (user identifier). Basically name that is known to both IDP and SP.
Also there are few optional elements - NotOnOrAfter – The time at which the request expires in UTC
- Reason – reason for the logout, in the form of a URI reference.
- There are two standard reasons
- urn:oasis:names:tc:SAML:2.0:logout:user – user terminates session and initiates logout
- urn:oasis:names:tc:SAML:2.0:logout:admin – admin terminates session and initiates logout
- There are two standard reasons
- SessionIndex – This is the session identifier that is used to identify the user session with both IDP and SP for given user.
Sources:
http://xacmlinfo.org/2013/06/28/how-saml2-single-logout-works/
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article