Skip to main content

Logout response

A LogoutResponse is sent in reply to a LogoutRequest. It confirms that the session has been terminated.

Send a logout response

After receiving and processing a LogoutRequest, send a response back to the initiator using sendLogoutResponse():

// $recipient: the party that sent the LogoutRequest (their SLO endpoint is used)
$response = $spWrapper->sendLogoutResponse($idp);
// or
$response = $idpWrapper->sendLogoutResponse($sp);

The response always carries a Success status. It is signed if the sender has a signing certificate configured.

Receive a logout response

At your SLO endpoint (when you initiated the logout), call handleLogoutResponse() to decode the response:

$logoutResponse = $spWrapper->handleLogoutResponse($request);
// or
$logoutResponse = $idpWrapper->handleLogoutResponse($request);

$id = $logoutResponse->id;
$relayState = $logoutResponse->relayState;

The returned LogoutResponse object:

PropertyTypeDescription
idstringUnique response ID
issuerstringEntity ID of the sender
relayState?stringOpaque state string forwarded from the request

Validating the signature

use Litesaml\Exceptions\SamlException;

try {
$logoutResponse = $spWrapper->handleLogoutResponse($request, validate: true, issuer: $idp);
} catch (SamlException $e) {
// Signature is missing or invalid
}

Typical SLO flow

SP                        IdP
| |
|--- LogoutRequest ------->| (SP initiates)
| | (IdP terminates session)
|<-- LogoutResponse -------|
| |
// Route: POST /saml/slo (SP side — receiving response after SP initiated)
$logoutResponse = $spWrapper->handleLogoutResponse($request, validate: true, issuer: $idp);
// Redirect to the logged-out page

// Route: GET /saml/slo (SP side — receiving a request initiated by IdP)
$logoutRequest = $spWrapper->handleLogoutRequest($request, validate: true, issuer: $idp);
// Terminate session
$response = $spWrapper->sendLogoutResponse($idp);
// Emit $response