SAMLLogout

Achieves SAML SLO, single logout.

NOTE: Changed behaviour in order to also be able to support SLO when PAS is acting as a SAML SP, mostly in broker scenarios.

1: A logout request is triggered from SP and received by PAS
2: PAS will issue logout request as send it to all "External IdPs" that according to metadata support SLO, if applicable
3: PAS will issue logout request as send it to all SPs that according to metadata support SLO
4: The PAS session will be terminated
5: The a logout response is sent to the SLO initiator

Properties

Name Description Default value Mandatory
pipeID The id of the pipe to be executed N/A Yes
template The UI template used. autopost.template No
targetIDP The EntityID of the PAS IdP used in the federation Yes, in broker scenario
internalSPID The EntityID of the PAS SP Yes, in broker scenario

Example Configuration - No broker scenario

{
    "alias" : "slo",
    "name" : "SAMLLogout",
    "configuration" : {
      "pipeID" : "pipeSLO",
      "template" : "autopost"
    },
    "id" : "slo"
  }

Example Configuration - broker scenario

{
    "alias" : "slo",
    "name" : "SAMLLogout",
    "configuration" : {
      "pipeID" : "pipeSLO",
	   "targetIDP": "https://idp.company.org/idp",
	   "internalSPID": "https://idp.company.org/brokerwithslo"
    },
    "id" : "slo"
  }

Requirements

  • The incoming request contains a valid SAMLRequest