IDP logout customizations

Cantor, Scott cantor.2 at
Mon Apr 8 14:32:45 EDT 2019

On 4/8/19, 2:22 PM, "users on behalf of Liam Hoekenga" <users-bounces at on behalf of liamr at> wrote:

> Doesn't the "return" parameter for the SP's local logout handler let you do the same thing? 

Not if you don't configure it to allow that.

> I was thinking maybe with the future solution, maybe it would allow you to redirect if the URL matched the SP
> Information URL in the MDUI metadata elements?

Those elements are not for that purpose.

You can do anything you choose, obviously, but you're just reinventing SAML logout and then choosing to implement it in a way that makes actual single logout impractical since the IdP can't maintain control to do that step.

We could implement yet another option that will cause a full frame response to the SP's logout endpoint in the event that the user chooses, or the system is configured, not to do logout propagation. I may even have done it already when I added all the other options, I'd have to review what it does when that happens.

-- Scott

More information about the users mailing list