SAML 2.0 Logout
SP-Initiated SAML Logout
SP-initiated SAML logout works as follows (the numbers of the steps below correspond with the numbers in the figure above):
- Logout is initiated by sending a request to an application URL with the query parameter logout.
- Example:
https://www.siven.ch/myapp/?logout - The request is intercepted by nevisProxy and does not reach the application.
- The IDP is determined and the corresponding ServiceProviderState returns a LogoutRequest.
- Example:
- The browser is instructed to send a LogoutRequest to the SAML IDP.
- This request is typically sent using a POST request.
- The request is validated by the SAML IDP (IdentityProviderState).
- The SAML IDP answers as follows:
- The IdentityProviderState produces an AUTH_CONTINUE response which contains a GUI descriptor.
- nevisLogRend transforms the GUI descriptor into an HTML page.
- nevisLogRend adds some Javascript (see macros.vm), which takes care of the remaining flow.
- The browser sends a LogoutRequest message to each additional SP that has participated in this session.
- The requests are sent in parallel via AJAX calls.
- The LogoutRequest is added as a query parameter SAMLRequest.
- The SP terminates the session of the user.
- The SP clears any additional cookies used to detect expired sessions.
- The SP returns a LogoutResponse. The default Javascript just ignores these responses.
- The session is terminated at the IDP by sending an additional request with ?logout attached.
- This request is also sent in the background using an AJAX call.
- This is required to ensure that the session at the IDP is terminated.
- The user is sent to the SP that has initiated the SAML logout.
- The URL contains a LogoutResponse message to signal a successful logout.
- The SAML SP redirects the user to its logout target.
- By default, the RelayState (URL of the application) is used and thus a new SAML authentication will be initiated.
- You can set a different Logout Target in the SAML SP Realm pattern.