spring saml: How is LOGOUT handled? Is it mandatory to have logout endpoint in IDP metadata xml?

spring spring-security logout saml-2.0 spring-saml
SM KUMAR picture SM KUMAR · Oct 14, 2014 · Viewed 10.5k times · Source

I am using Spring SAML implementation. SSO circle metadata xml was having logout endpoint which helps in local logout and global logout. But there are some other IDP's which I am interacting with and are not having logout endpoints in their metadata xml.

How should LOGOUT be handled in these scenarios?

Is deleting cookies of the request the only solution of this problem or is there any workaround for this scenario?

Your help in this regard is much appreciated.

Answer

Vladimír Schäfer picture Vladimír Schäfer · Oct 14, 2014

It is not mandatory for your IDPs to have a SingleLogout endpoint. You can perform local logout which cleans local cookies by calling /saml/logout?local=true. You can find all the details in the manual.

Related questions

How to manually log out a user with spring security?

Probably the answer is simple: How can I manually logout the currently logged in user in spring security? Is it sufficient to call: SecurityContextHolder.getContext().getAuthentication().setAuthenticated(false); ?

Read More
Logout leaves behind JSESSIONID on the browser. How to clear it?

I am using the following code for logging out a user off my system. /** * This function helps to set the session attribute for the present user to null and then * removes the attribute itself and this helps in clearing the …

Read More
Spring security logout goes to j_spring_security_logout

In my web application when I tries to logout it goes to j_spring_security_logout instead of the given page. In my spring-security.xml page i have added <logout logout-success-url="/login" delete-cookies="JSESSIONID" /> The problem is this …

Read More