PhenixID Documentation

SAMLLogout

Achieves SAML SLO, single logout.

NOTE: Changed behaviour in order to also be able to support SLO when PAS is acting as a SAML SP, mostly in broker scenarios.

1: A logout request is triggered from SP and received by PAS
2: PAS will issue logout request as send it to all "External IdPs" that according to metadata support SLO, if applicable
3: PAS will issue logout request as send it to all SPs that according to metadata support SLO
4: The PAS session will be terminated
5: The a logout response is sent to the SLO initiator

Properties

Name	Description	Default value	Mandatory
pipeID	The id of the pipe to be executed	N/A	Yes
template	The UI template used.	autopost.template	No
targetIDP	The EntityID of the PAS IdP used in the federation		Yes, in broker scenario
internalSPID	The EntityID of the PAS SP		Yes, in broker scenario

Example Configuration - No broker scenario

{
    "alias" : "slo",
    "name" : "SAMLLogout",
    "configuration" : {
      "pipeID" : "pipeSLO",
      "template" : "autopost"
    },
    "id" : "slo"
  }

Example Configuration - broker scenario

{
    "alias" : "slo",
    "name" : "SAMLLogout",
    "configuration" : {
      "pipeID" : "pipeSLO",
	   "targetIDP": "https://idp.company.org/idp",
	   "internalSPID": "https://idp.company.org/brokerwithslo"
    },
    "id" : "slo"
  }

Click to copy

Requirements

The incoming request contains a valid SAMLRequest