Suomi.fi e-Identification –
Logout response (LogoutResponse)

Print Friendly, PDF & Email
 

An e-service can send a logout response to Suomi.fi identification or vice versa. The structure of the message is similar in both cases. A sample message with HTTP-Redirect and HTTP-Post bindings is described below.

Logout response (HTTP-Redirect)

The example shows a response returned by Suomi.fi identification (in element saml2:Issuer) to an e-service (in attribute Destination) that has requested logout.

When Suomi.fi identification has initiated the logout, the response of the e-service to the logout request of Suomi.fi identification is the same, apart from the fact that the sender (in element saml2:Issuer) and the recipient (in attribute Destination) are the other way around. NB! Here, the SAML message is in its original format, from which it is converted to a format transmitted between the devices.

<saml2p:LogoutResponse Destination="https://kalastus.mallikunta.fi/SAML/SLO/Redirect"
                       ID="_d852ff1c08bba9a0fc765bf7088f40a9"
                       InResponseTo="_980f14cdd1f0cae5e1c8fa1523c7f45d"
                       IssueInstant="2016-05-13T12:00:16.318Z"
                       Version="2.0"
                       xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                       >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.xyz/idp1</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
</saml2p:LogoutResponse>

Logout response (HTTP-POST)

The example shows the response returned by an e-service (in element saml2:Issuer) to Suomi.fi identification (in attribute Destination) that has requested logout.

When the e-service has initiated the logout, the response of Suomi.fi identification to the e-service is the same, apart from the fact that the sender (in element saml2:Issuer) and the recipient (in attribute Destination) are the other way around. NB! Here, the SAML message is in its original format, from which it is converted to a format transmitted between the devices.

<saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="https://idp.xyz/idp/profile/SAML2/POST/SLO"
ID="1ba9-4d7c-8911-784abe3a2be5-9848d089d7ac"
InResponseTo="4c76-4263-82d2-e952a2783c63-00027d00d6c4"
IssueInstant="2015-11-09T13:48:21.218Z" Version="2.0">
  <saml2:Issuer>https://kalastus.mallikunta.fi/SAML2SP</saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <ds:Reference URI="#MPL_fcfe337dd7b3-23396834-1ba9-4d7c-8911-784abe3a2be5-9848d089d7ac">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
 <ds:InclusiveNamespaces xmlns:ds="http://www.w3.org/2001/10/xml-exc-c14n#"
                         PrefixList="#default ds saml samlp xs xsi"/>
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <ds:DigestValue>GNUwbhYppmg7ZIgWpMuJFh0tU57qgNp2Osy313B2x9Q=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
<ds:SignatureValue>lgrs...A==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
<ds:X509Certificate>MIIG..ITAf</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
</saml2p:LogoutResponse>

 

 Document history

Version Changes Date/Author
 1.0 Document published on eSuomi 23.02.17/NP

Document identifier: JTO21