A SAML Single Logout (SLO) request follows the typical SAML message structure, with an ID, lifetime data, and information about its origin and destination.
The logout request also includes the name ID of the user logged out. This allows the recipient to confirm that they are logging out the correct user. For instance, if a logout request is received for Bob but Alice is currently logged in, the recipient would deny the request.
The logout request can optionally contain the reason for the logout, such as if it has been initiated by a user or an admin or if a global timeout was exceeded. The request can also include the session index, which identifies which sessions to logout. It must match the session ID at the recipient.
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_9088cb8766164b149e63358b92ece1c3"
Version="2.0"
IssueInstant="2020-05-11T20:24:11Z"
Destination="https://idp.identityserver.com/saml/slo"
NotOnOrAfter="2020-05-11T20:26:11Z"
Reason="urn:oasis:names:tc:SAML:2.0:logout:user">
<saml2:Issuer>https://sp.identityserver.com/saml</saml2:Issuer>
<saml2:NameID>73258</saml2:NameID>
<saml2:SessionIndex>_afa1ecb97404a988c0b9c18cc915e3b</saml2:SessionIndex>
</saml2p:LogoutRequest>