Skip to content

SSO Logout

Transaction to log out a user from the IdP and all session participants. Primary systems shall perform this transaction to notify the IdP, when a user logs out, or to receive a notification from the IdP, when the user logged out from another application sharing the same IdP session.

Overview

Primary systems shall perform this transaction to notify the IdP, when a user logs out, or to receive a notification from the IdP, when the user logged from another relying party sharing the same session.

Transaction

Message Semantics

Messages are encoded as described in Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 and the ordinances to the Swiss EPR.

Request Message

The following snippet shows the content of a logout request, with some elements omitted to increase readability.

The major content (lines 9..32) of the message is required for to sign the message compliant with the SAML 2.0 specification. Apart from that, the message conveys the following information:

  • ID: A unique ID of the request message (line 4).
  • Destination: An identifier of the receiver endpoint. For primary systems sending the request, this shall be the URL of IdP logout endpoint (line 7).
  • NameID: The electronic ID used to authenticate the user (line 33). It's value shall match the value provided in the IdP Assertion (see Authenticate User).
  • SessionIndex: The unique ID of the session used to identify all systems sharing the same session. It's value shall match the Session Index provided in the IdP Assertion (see Authenticate User).
2_Logout Request.xml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<samlp:LogoutRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1"
    Version="2.0"
    IssueInstant="2020-07-18T01:13:06Z"
    Destination="http://idp.example.com/SSOLogoutService">
    <saml:Issuer>http://sp.application.com</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>Q9PRlugQZKSBt+Ed9i6bKUGWND0=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            <!-- omitted for brevity -->
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    <!-- omitted for brevity -->
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:NameID SPNameQualifier="http://sp.application.com" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">IdP_User_ID_f92cc183</saml:NameID>
    <saml:SessionIndex>bdfe3302-3ed8-11eb-b378-0242ac130002</saml:SessionIndex>
</samlp:LogoutRequest>

Response Message

The following snippet shows the content of a logout response, with some elements omitted to increase readability.

The major content (lines 9..32) of the message is required for to sign the message compliant with the SAML 2.0 specification. Apart from that, the message conveys the following information:

  • ID: A unique ID of the request message (line 4).
  • Destination: An identifier of the receiver endpoint as URL (line 7).
  • InResponseTo: The unique ID of the initial request (line 8).
  • Status: The return status of the request, indicating success or failure (line 34 .. 36).
2_Logout Response.xml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<samlp:LogoutResponse
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="pfxe335499f-e73b-80bd-60c4-1628984aed4f"
    Version="2.0"
    IssueInstant="2020-07-18T01:13:06Z"
    Destination="http://sp.example.com/demo1/index.php?acs"
    InResponseTo="pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1">
    <saml:Issuer>http://idp.example.com/SSOLogoutService</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#pfxe335499f-e73b-80bd-60c4-1628984aed4f">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>PusFPAn+RUZV+fBvwPffNMOENwE=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            <!-- omitted for brevity -->
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    <!-- omitted for brevity -->
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
</samlp:LogoutResponse>

Transport Protocol

The LogoutRequest may be send by primary systems to the IdP using one of the following bindings:

  • SAML 2.0 HTTP POST binding via the frontchannel (involving the browser).
  • SAML 2.0 SOAP binding via the backchannel.

Audit Log

Primary systems shall protocol the transaction in their logs to ensure traceability. No further requirements are defined in the ordinances of the Swiss EPR.

Security Requirements

Communication via the SOAP backchannel shall be secured with TLS and mutual authentication, using client and server certificate validation. The certificates used, shall be exchanged during the client registration process.

Communication via the frontchannel (involving the browser) shall be secured with HTTPS and mutual authentication, using server certificate validation.

Test Opportunity

The transaction can be tested with the Gazelle test suite of the EPR reference environment, or test systems of the EPR communities.

Last update: 2024-08-09