/
Single Sign Out

Single Sign Out

Owned by Adrian Hui (Deactivated)
Last updated: Nov 28, 2016

 

saml-logout

 

  1. LogoutRequest issued by SP to  IDP
  2. IDP determines authenticated SPs for given user session.  If there are no SPs, other than the SP who sends logout request, the profile proceeds with step 5.  
    Otherwise, steps 3 and 4 are repeated for each SP 
  3. LogoutRequest issued by IDP to SP
  4. SP issues LogoutResponse to IDP
  5. IDP issues LogoutResponse to SP who sends logout request


SAML User Scenarios : Page 2 (Logout)


 

LogoutRequest is extend from RequestAbstractType.  
 
There are some attributes that must be in the RequestAbstractType element 
 

  1. ID   – An identifier for the request. This must be unique.  Basically a random number. 
  2. Version  – Indicate SAML version 
  3. IssueInstant – Time instant of issue of the request. The time value is encoded in UTC
  4. Apart from that,  One of following is a required attribute for LogoutRequest request…
  5. BaseID or NameID or EncryptedID  
     This indicate the principle (user identifier).  Basically name that is known to both IDP and SP. 
    Also there are few optional elements
  6. NotOnOrAfter  – The time at which the request expires in UTC
  7. Reason  –  reason for the logout, in the form of a URI reference.
    1. There are two standard reasons 
      1. urn:oasis:names:tc:SAML:2.0:logout:user  – user terminates session and initiates logout
      2. urn:oasis:names:tc:SAML:2.0:logout:admin – admin terminates session and initiates logout
  8. SessionIndex  – This is the session identifier that is used to identify the user session with both IDP and SP for given user.

 

 

 

Sources:

http://xacmlinfo.org/2013/06/28/how-saml2-single-logout-works/

https://azure.microsoft.com/en-us/documentation/articles/active-directory-single-sign-out-protocol-reference/