Skip to main content

Logout request

A LogoutRequest is sent by either the SP or the IdP to initiate single logout. The recipient terminates the user's session and replies with a LogoutResponse.

Send a logout request

Both ServiceProviderWrapper and IdentityProviderWrapper expose sendLogoutRequest(). It builds and signs the request (if the sender has a signing certificate), then returns a PSR-7 ResponseInterface using the recipient's SLO binding.

SP initiates logout:

// $nameId: the NameID of the user whose session to terminate
// $idp: the IdP descriptor (target of the request)
$response = $spWrapper->sendLogoutRequest($idp, $nameId);

IdP initiates logout:

$response = $idpWrapper->sendLogoutRequest($sp, $nameId);

Optional parameters:

$response = $spWrapper->sendLogoutRequest(
recipient: $idp,
nameId: $nameId,
relayState: '/logged-out', // Opaque state string
sessionIndex: $sessionIndex, // The session index from the original AuthnResponse
);

Receive a logout request

At your SLO endpoint, call handleLogoutRequest() to decode and deserialize the incoming request:

// $request is the PSR-7 ServerRequestInterface at your SLO endpoint
$logoutRequest = $spWrapper->handleLogoutRequest($request);
// or
$logoutRequest = $idpWrapper->handleLogoutRequest($request);

$nameId = $logoutRequest->nameId;
$sessionIndex = $logoutRequest->sessionIndex;
$relayState = $logoutRequest->relayState;

// Terminate the user's session, then send a response

The returned LogoutRequest object:

PropertyTypeDescription
idstringUnique request ID
issuerstringEntity ID of the sender
nameId?stringNameID of the user to log out
sessionIndex?stringSession index to terminate
relayState?stringOpaque state string

Validating the signature

use Litesaml\Exceptions\SamlException;

try {
$logoutRequest = $spWrapper->handleLogoutRequest($request, validate: true, issuer: $idp);
} catch (SamlException $e) {
// Signature is missing or invalid
}