SAML Single Logout
Enable Single Logout
To enable Single Logout, you need to download a certificate (in PEM format) for decryption and enter an issuer for the IdP.
Figure Enable Single Logout and add IdP issuer
Log out of LINE WORKS, then IdP
Request URL
Register the request URL in Logout URL under SSO Type in the Developer Console.
HTTP method
GET
Request
| Parameter | Type | Required | Description |
|---|---|---|---|
| redirect_uri | String | Y | The URI to redirect to after logging out of the customer system. https://auth.worksmobile.com/saml2/sp/slo/callback is URL-encoded. |
| SAMLRequest | String | Y | A character string as specified in the SAML 2.0 request specification (encoded with Deflate + Base64) |
| SigAlg | String | Y | Signature Algorithm URI (URL-encoded). LINE WORKS supports SHA256. |
| Signature | String | Y | A value signed with SAMLRequest={samlRequest}&SigAlg={sigAlg} |
Caution
- When it is redirected to the IdP, only HTTP GET is supported.
Set a response after logging out of the IdP
Request URL
https://auth.worksmobile.com/saml2/sp/slo/callback
HTTP method
GET/POST
Request
| Parameter | Type | Required | Description |
|---|---|---|---|
| SAMLResponse | String | Y | A character string as specified in the SAML 2.0 logout response specification (encoded with Deflate + Base64) |
| SigAlg | String | N (Y For HTTP GET) | Signature Algorithm URI (URL-encoded). |
| Signature | String | N (Y For HTTP GET) | A value signed with SAMLRequest={samlRequest}&SigAlg={sigAlg} |
Caution
- The SigAlg and Signature parameters are required if the API request is made using the GET method.
- An embedded signature must be included in the SAMLResponse if the API request is made using the POST method.
Log out of the IdP, then LINE WORKS
Logs a user out of the customer system, then LINE WORKS.
LINE WORKS logs the users who remain logged in the LINE WORKS system out of it and redirects them to the requested redirect_uri,
which should be registered in advance in Logout Redirection Domain under SSO > WORKS as SP in the Developer Console because it is managed as the white_url.
Request URL
https://auth.worksmobile.com/saml2/sp/slo
HTTP method
POST
Request
| Parameter | Type | Required | Description |
|---|---|---|---|
| redirect_uri | String | Y | A URL to redirect to after logging out of LINE WORKS. It is URL-encoded. |
| SAMLRequest | String | Y | A character string as specified in the SAML 2.0 request specification (encoded with Deflate + Base64) |
| RelayState | String | N | Pass a value if necessary. |
After processing the logout request, LINE WORKS redirects the user with the SAMLResponse to the redirect_uri, using the POST method.
Send a response after logging out of LINE WORKS
Request URL
redirect_uri passed when a logout request is made
Request
| Parameter | Type | Required | Description |
|---|---|---|---|
| SAMLResponse | String | Y | A character string as specified in the SAML 2.0 logout response specification (encoded with Deflate + Base64) |
| RelayState | String | N | Return the value included in the logout request, if it exists. |