Home
Product documentation
Support homeSupport requestsSystem statusTrust centerTry for free

SAML logout

Suggest Edits

SP-initiated logout

The SAML SP-initiated logout is a process where a Service Provider (SP) initiates the logout request, notifying the Identity Provider (IdP) that the customer has chosen to log out. The IdP, in turn, ensures that all connected SPs associated with the session are logged out, terminating the customer's session across all services that share the same authentication context. This provides a coordinated, secure logout across all relevant services.

How it works

  1. SP initiates and sends the logout request: The SP initiating the logout process generates a SAML Logout Request, digitally signs it, and sends the request to the IdP's Single Logout (SLO) URL via the customer’s browser.
  2. IdP validates the logout request: The IdP verifies the signature on the logout request to ensure it was sent by the correct SP.
  3. IdP processes the logout request: After validating the request, the IdP identifies all other SPs involved in the customer’s Single Sign-On (SSO) session that support SLO. The IdP then generates a logout request for each SP, sends it to their respective SLO URLs, and waits for their logout responses.
  4. SPs terminate customer sessions: As each SP receives and verifies the logout request, it ends the customer’s session. Once all SPs have confirmed their session termination, the IdP terminates its own session and sends a final logout response back to the originating SP, indicating whether the full or partial logout was successful.

IdP-initiated logout

The SAML IdP-initiated back-channel logout is a process where the Identity Provider (IdP) triggers logout requests to all connected Service Providers (SPs). This process happens through server-to-server communication, bypassing the customer's browser. It ensures that all SPs terminate the customer's session, even if the customer does not interact directly with each SP.

How it works

  1. IdP initiates the logout: The logout is initiated by IdP, typically triggered by an administrator or automatically due to a session timeout. The IdP identifies all SPs involved in the current Single Sign-On (SSO) session that support SLO. For each SP, the IdP generates a new SAML logout request and sends it to each SP’s SLO URL, then waits for the corresponding logout responses.
  2. SPs terminate sessions: As each SP receives and verifies the logout request, it ends the customer’s session. Once all SPs have confirmed their session termination, the IdP terminates its own session.

Configuration

To configure the settings related to SAML logout, follow the steps below:

  1. Start by logging into the Admin Console using an admin account.
  2. From the left-hand menu, select Applications.
  3. Select one of your existing applications with a SAML2 client or create a new one.
  4. When editing your application, go to the SAML2 tab.

Single Logout (SLO) URLs

  • To enter an SP's SLO URL, follow the instructions above, find Single Logout (SLO) URLs on the SAML2 tab, and select +Add SLO URL.

📘

The SLO URL for the SP can typically be found in the SP’s metadata. This contains important configuration details, including the SLO endpoint, which serves as the SP’s SLO URL.

Name ID format and value

  • Name ID format: The Name ID format defines the format of the NameID element in the SAML assertion, which represents the customer’s identity during the authentication process. The format tells the IdP and SP how the customer's identity is represented. The following options are available:
    • Transient: A temporary, short-lived identifier used only for the duration of a single session. This format is useful when the identity does not need to be persisted across multiple sessions.
    • Persistent: A long-lasting, uniquely generated identifier that remains consistent across sessions.
    • Email Address: Uses the customer's email address as the NameID.
    • Unspecified: No specific format is enforced, giving flexibility to how the NameID is represented.
  • Name ID value: The Name ID value defines which attribute from the identity store is used to populate the NameID field in the SAML assertion. This allows you to choose what information will represent the customer during authentication.

Signing certificate

  • A certificate containing an RSA public key, used to verify the authenticity and integrity of digitally signed SAML messages, such as logout requests and logout responses, ensuring secure communication between the IdP and SP.

An example of a signing certificate:

-----BEGIN CERTIFICATE-----
MIIFJzCCAw+gAwIBAgIUVoxfD8b6RFXkTXBIhLu4O6rTD5swDQYJKoZIhvcNAQEL
BQAwIjEgMB4GA1UEAwwXU3RyaXZhY2l0eSBTQU1MIGV4YW1wbGUwIBcNMjQxMDAx
MTYxMzE4WhgPMjEyNDA5MDcxNjEzMThaMCIxIDAeBgNVBAMMF1N0cml2YWNpdHkg
U0FNTCBleGFtcGxlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi3VJ
UNEDB50dmSyq/qMXWuRcTkfPrvMYC0oe7tiQGMXxQmMnc3x3isXpM/tBy9GhHB/w
wMbQJbKtAAePJMc+DRsbBo/z5sYhaqkT8o4O0fkx8VBbpu+yBKFYM5M/NKAJ5Zxq
rNbLhLINdLZpy27dNH3IYopKCWOTNi/R9i7a9Ykvk0uFglYRT7RkAuOWKrEPpERX
S9tvBnj4ur7jF9zKD6qKQ42zNJ0t5wOrKvm8qEdXs1cZoriFS3VG0cUqXnosSewC
tkMCiISVJgCivrU8zRZ9qG+Ulrv3HG7Z+Nacml83qPJYpFXJ6eu4XhTGYAwBEJjP
/tbJD3WhlZ9IYGys3S5PFBdfEW13dG8bkUEyUUxJlnxY8mbdK6tpR3hI+XDUnb6f
x9DCYEYsLR+dnz/u4WlPG7I7Z27cAAD5QQBqyKNyP1HZzD7RR4GiRSfkiXiMIZjt
jTZ4+chaeGoh6OXcEzvxT8pDEbRcejT/rOq1chMfERBH2P68zFcSXFClIHi55cZ+
t5IucwwsACkXvQ1Y/uEumP3zHAjyvPirfSnsZvTKzH6JAHaEg4hhjG8YQQIf7vu8
WfcF7w9TkdEFJkSwEcbDn72W2SmYTcjlgWEbXIdYiL9wuJ+r3J9K3hEWLWRVyRb0
f/JFbLtgilfHEcP5cMNRj8PrkLhqa2ULzBAkLcUCAwEAAaNTMFEwHQYDVR0OBBYE
FEPLax4EeiocVHMiFixueKYaMEe6MB8GA1UdIwQYMBaAFEPLax4EeiocVHMiFixu
eKYaMEe6MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGKcw6yG
rBdC11JYe1+t42BpMu+jpt0qRnYWAkolyACGMTAuq6MHDWQP0O1XtdQ9awUSao+k
zHY+2Pgdq5huxnEBvDixNH5wj0DWUdiC5ryefsixcLS0TGrPtNW1puV8K/5wCPhI
T142dytRz4268OQ567Sjh+jjzrTl2u2jGbFpfUJ7kCvFdtR2Z56qaqC6KBiWiD6e
QC4lvQKIg58evni5IErlYMwB9zsVipfgRpAGz0Mbwk03Lu7UG6guZ/tHkWhtsm/B
VQOz6p3rLurQBFlHtxYQUTI4ViazPnkxss4vRHcGUQxTP4OYwRL/AYU8YRhAK5Y8
1gbFejdTvyZRgr0WRlsVj0LDraXvl92xN5H9tDH3QBBbi5w0ANANram1T8LLcSMu
/2VYELueXlHYXclaXabh/ZeI/UgmsoS1UQUpGtP0zwbsqivfflE+NH3ZZ5ht/qFl
yFMDA95mec4SADP9ziApu2AwqklBIWTczhI0I9jCGUN17FfYS5v2dBGQ6g873jnm
yG/xBXFD6vmoD0DFEtaIFVEm2IfxBNq4s8PvAGjbRzXs3KJwTBAh50rDBwA39MpH
AUAClm4igdTHAJBKXo9gKRtQDV62gHqBwHlaLRne0vBxHORJY+IFu032Ma1KguuM
CRjgNmv8xgmQO5tkaWQFVySu9kxHKQk8kdAc
-----END CERTIFICATE-----

SLO endpoints

  1. To find the SAML SLO endpoints, follow the instructions above, go to Identity provider metadata, and use the Metadata URL to download the XML file with the metadata.
  2. The lines SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" and SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" contain the SLO endpoints of Strivacity.

Logout request structure

A SAML logout request is an XML-based message containing the following key elements:

  • <samlp:LogoutRequest>: The root element of the logout request, containing attributes such as the request ID, version, timestamp, and destination URL.
  • <saml:Issuer>: Identifies the SP making the logout request, linking it to the SP's metadata.
  • <saml:NameID>: Identifies the customer whose session is being terminated, with attributes defining the SP context and the format of the identifier.
  • Signature: a cryptographic element that verifies the authenticity and integrity of the message. It ensures that the request has not been tampered with and confirms that it was sent by a trusted entity.

An example of a logout request:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="[randomly generated string]" Version="2.0" IssueInstant="[timestamp formatted as YYYY-MM-DDThh:mm:ssZ in UTC timezone]" Destination="https://[your cluster hostname]/provider/saml2/logout">
  <saml:Issuer>[SAML SP entity ID, which issues the request (check the Strivacity admin console for this)]</saml:Issuer>
  <saml:NameID SPNameQualifier="[the same SAML SP entity ID as the Issuer (not validated)]" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">[Name ID value, the account will be looked up based on this value (at the attribute configured for the client)]</saml:NameID>
</samlp:LogoutRequest>

An example of a logout request with signature (HTTP-redirect binding):

https://[Strivacity cluster hostname]/provider/saml2/logout
?SAMLRequest=fZJBa9tAEIXvhf6HQScH4qjkuNiGUhEwxKWt00JrfFivxtaS1a66M+vU/fWdkUobcohO0uy8efO+1YJsHwZzn06p8Bf8WZAYfvUhkhlPllXJ0SRLnky0PZJhZ7bvN/fm9uadGXLi5FKonkleV1gizOxTrGDdLKtdtrFNfbjACSNmy9gCcfbxtK/gG2aSzmUlQmknKriOxDayCNnLaLb9AMeUe8uqtATf5ZlvNvOmeeg60/eG6Af4CF8fPoBKfqeIMroRrY+Wx/Ed80CmrneXVDK4UIgxQ5eIdf99LSnPvsVca7zbOoysqtXbNwALLZlxtbzaaUrYfgKM7PkiAa/hqfOuA68NBNwh5L+MZ65D9ziWthL4bJ1KbNvLsi5FSgE1mTR4utov6udG/50/yoLrRjz15XOxwR89ZsUjc6VDhr/cSSnp6TQLZjExnEXYKvwrYXM38nz9GrXi2/mE3rDcInlxqFY7XURdZGTB69HJOpdKZHjyIcABIaT0KLdVBjhYkpcUx5STBGaWJxULlkNhVBxHfypZWiciUgpq94/LhEG4TN8v/ufVHw==
&RelayState=StrivacityExample
&SigAlg=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
&Signature=cji+9NgQNQvLDX6SM/cLjAIL8UDZlEBaQcdNYmE06HSLQfbCT28NGprfQITr3FxXds4clkyQDupSDsBv7YJRvacbLgQwLtiUixbDPIOML/9/RgIbPrHrzfoKznO52GLP9inTuFKG/8PEuPbCrzRNtv6DbkBezmn/A3yzvbOEA7tKGCvy7WsnWD+OXq32+Uq+u+TOPxwvXIAWvmwSvk7sMzPsOIa6SdhlARbGVndEpAMvGkE+ytaeK4c8hTz+qXDPY+n9/lvpCKOXxoYwEB1uHQOH+Liq9N7+xnZjedR4ZqxmEcvLPtzcAZkJZJlmMWAaEzTYKh7sSWCIV0zgaZOYLqmCfiGVR7JcMOrtS+n78Wgcjtq02qIKx+hAKmn8+mPMR2jf9gyp7q170tP8TatsFJbelbl45MUFzYcKCkLER5RoThv5grUQkZt2o8oJifxHgW/uRZNJp0LkHJiAPpZfAjtnzuZaEY9ssG5wPGtKUadqWcazgyGVF4aflWY8HDXd73b4VpIewOxRtcX6S7c27+HKrCRXWn9kaoXPSiFL/B0uPqPQjiycSoAaEbgpGr2p0QNwYp1MxrGC0v7RRdQR0i9Y/v7GQ6QuvleUHrzR3neD6gocWfhpM0cREx6dDbE0t+VO7q4VJQzIlcUDbgy5D1jcWrPp8z8L7WRiPAkF+/U=

An example of a logout request with signature (HTTP-POST binding):

<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx14c2e85f-1eb8-c9e5-b1a6-a0192946df57" Version="2.0" IssueInstant="[timestamp formatted as YYYY-MM-DDThh:mm:ssZ in UTC timezone]" Destination="https://[your cluster hostname]/provider/saml2/logout">
  <saml:Issuer>[SAML SP entity ID, which issues the request (check the Strivacity admin console for this)]</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  <ds:Reference URI="#pfx14c2e85f-1eb8-c9e5-b1a6-a0192946df57"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>NAGSIoYabsdoTIvfIfhpRa2lMqc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Ef/0R+3TifAK5j8gcrDxWDHVlqUPJhucVhB5iPgnaeBPqK5vTpQXpGfSqVawhT5IxuSH6YAmFFHUM5MJZMp1lI8efznlA2JlB4dYgMvEzUEIC39xtOcDV96dfaezkrMn73IaEA/z82FbPZFGEcrmoMBqEwP1wNWLvzP7sYJTnOEVV++oo0dhgtZH/TCuZpmL8dEv4U1OerqhVN0JUg5UJdHlLzzF9HXntgeLDCMV4PJZQcwzEK98kwnjc+viUDfN8mNP5HpGJJTnoBhQdtulEvyvLE6QAbi586lwgH66N+ON7bQEBFkUdJv0BEwugAjlmKN2FwkWrEyDXZ89btS42M26WFfv+jMozuAPxU1SOzaeghDjBHqCZk7WG9qAuGbeGM50qBnY7IDVivGJIvk04lV24/W1Cre1jGBNeN6sjJOxK1mQpLFh51YOfeGwNAhM1rEo6aknoYpEB2ZXNA64gCXZb2lkIt5m2iPoIIjCNqvJoIPcpZ6GsG9XZaKihRjRPNf1PwKQipbhbEw9UDKVpnbNnXuJB/bV7fHv16eEwwk2dSgJRoerS6kaKVvG0WJvASqufmzeAeyr0D0lZPSxEnVv84o0/wIdR0WFcNFjycQu6y/KXmH1CPXLYcQ9WKI6wrPfbOVS79E7a5js3tNKmSBnxjIBAhekfbGHsXibSZs=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFJzCCAw+gAwIBAgIUVoxfD8b6RFXkTXBIhLu4O6rTD5swDQYJKoZIhvcNAQELBQAwIjEgMB4GA1UEAwwXU3RyaXZhY2l0eSBTQU1MIGV4YW1wbGUwIBcNMjQxMDAxMTYxMzE4WhgPMjEyNDA5MDcxNjEzMThaMCIxIDAeBgNVBAMMF1N0cml2YWNpdHkgU0FNTCBleGFtcGxlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi3VJUNEDB50dmSyq/qMXWuRcTkfPrvMYC0oe7tiQGMXxQmMnc3x3isXpM/tBy9GhHB/wwMbQJbKtAAePJMc+DRsbBo/z5sYhaqkT8o4O0fkx8VBbpu+yBKFYM5M/NKAJ5ZxqrNbLhLINdLZpy27dNH3IYopKCWOTNi/R9i7a9Ykvk0uFglYRT7RkAuOWKrEPpERXS9tvBnj4ur7jF9zKD6qKQ42zNJ0t5wOrKvm8qEdXs1cZoriFS3VG0cUqXnosSewCtkMCiISVJgCivrU8zRZ9qG+Ulrv3HG7Z+Nacml83qPJYpFXJ6eu4XhTGYAwBEJjP/tbJD3WhlZ9IYGys3S5PFBdfEW13dG8bkUEyUUxJlnxY8mbdK6tpR3hI+XDUnb6fx9DCYEYsLR+dnz/u4WlPG7I7Z27cAAD5QQBqyKNyP1HZzD7RR4GiRSfkiXiMIZjtjTZ4+chaeGoh6OXcEzvxT8pDEbRcejT/rOq1chMfERBH2P68zFcSXFClIHi55cZ+t5IucwwsACkXvQ1Y/uEumP3zHAjyvPirfSnsZvTKzH6JAHaEg4hhjG8YQQIf7vu8WfcF7w9TkdEFJkSwEcbDn72W2SmYTcjlgWEbXIdYiL9wuJ+r3J9K3hEWLWRVyRb0f/JFbLtgilfHEcP5cMNRj8PrkLhqa2ULzBAkLcUCAwEAAaNTMFEwHQYDVR0OBBYEFEPLax4EeiocVHMiFixueKYaMEe6MB8GA1UdIwQYMBaAFEPLax4EeiocVHMiFixueKYaMEe6MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGKcw6yGrBdC11JYe1+t42BpMu+jpt0qRnYWAkolyACGMTAuq6MHDWQP0O1XtdQ9awUSao+kzHY+2Pgdq5huxnEBvDixNH5wj0DWUdiC5ryefsixcLS0TGrPtNW1puV8K/5wCPhIT142dytRz4268OQ567Sjh+jjzrTl2u2jGbFpfUJ7kCvFdtR2Z56qaqC6KBiWiD6eQC4lvQKIg58evni5IErlYMwB9zsVipfgRpAGz0Mbwk03Lu7UG6guZ/tHkWhtsm/BVQOz6p3rLurQBFlHtxYQUTI4ViazPnkxss4vRHcGUQxTP4OYwRL/AYU8YRhAK5Y81gbFejdTvyZRgr0WRlsVj0LDraXvl92xN5H9tDH3QBBbi5w0ANANram1T8LLcSMu/2VYELueXlHYXclaXabh/ZeI/UgmsoS1UQUpGtP0zwbsqivfflE+NH3ZZ5ht/qFlyFMDA95mec4SADP9ziApu2AwqklBIWTczhI0I9jCGUN17FfYS5v2dBGQ6g873jnmyG/xBXFD6vmoD0DFEtaIFVEm2IfxBNq4s8PvAGjbRzXs3KJwTBAh50rDBwA39MpHAUAClm4igdTHAJBKXo9gKRtQDV62gHqBwHlaLRne0vBxHORJY+IFu032Ma1KguuMCRjgNmv8xgmQO5tkaWQFVySu9kxHKQk8kdAc</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <saml:NameID SPNameQualifier="[the same SAML SP entity ID as the Issuer (not validated)]" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">[Name ID value, the account will be looked up based on this value (at the attribute configured for the client)]</saml:NameID>
</samlp:LogoutRequest>

Updated 7 months ago