SAMLLogout
Warning
This authenticator is a legacy authenticator. It is recommended to plan for migrating the authenticator to the new protocol agnostic authenticator architecture. More information about the legacy authenticators can be found here.
Note
Achieves SAML SLO, single logout.
Caution
NOTE: Changed behaviour in order to also be able to support SLO when PAS is acting as a SAML SP, mostly in broker scenarios.
1: A logout request is triggered from SP and received by PAS
2: PAS will issue logout request as send it to all "External IdPs" that according to metadata support SLO, if applicable
3: PAS will issue logout request as send it to all SPs that according to metadata support SLO
4: The PAS session will be terminated
5: The a logout response is sent to the SLO initiator
Properties
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| pipeID | The id of the pipe to be executed | N/A | Yes |
| template | The UI template used. | autopost.template | No |
| targetIDP | The EntityID of the PAS IdP used in the federation | Yes, in broker scenario | |
| internalSPID | The EntityID of the PAS SP | Yes, in broker scenario |
Example Configuration - No broker scenario
{
"alias" : "slo",
"name" : "SAMLLogout",
"configuration" : {
"pipeID" : "pipeSLO",
"template" : "autopost"
},
"id" : "slo"
}
Example Configuration - broker scenario
{
"alias" : "slo",
"name" : "SAMLLogout",
"configuration" : {
"pipeID" : "pipeSLO",
"targetIDP": "https://idp.company.org/idp",
"internalSPID": "https://idp.company.org/brokerwithslo"
},
"id" : "slo"
}
Requirements
- The incoming request contains a valid SAMLRequest