Logging Out with Maverics

  • 2 minute(s) read
Prev Next

You can log a user out of their Maverics session and (optionally) from their identity provider (IdP) session. When implementing logout in Maverics, it’s important to think about the three session layers that interact with each other:

Application Session Layer

Your own application maintains its own session to track whether a user is logged in. Even if you rely on Maverics for authentication, you still need to store user state (typically in a cookie or server session) inside your app.

To log the user out here: clear the application’s session data.
Handled entirely by your app.

Maverics Session Layer

Maverics also manages a session for the user, stored in its own secure cookies. This enables Single Sign‑On (SSO) across multiple apps integrated with Maverics.

To log the user out here: clear Maverics’ SSO cookie.
Handled by redirecting the user to Maverics’ logout endpoint.

Identity Provider Session Layer

The IdP (e.g., Okta, Azure AD, Google) also keeps its own session. If the user is still logged in at the IdP level, they can transparently re‑authenticate without re‑entering credentials.

Logging out here is optional but can be forced, depending on your security requirements.
Handled by triggering a logout request to the IdP.

Logout Flows in Maverics

Maverics supports multiple logout mechanisms depending on your app’s protocol and deployment type:

1. Single Logout (SLO)

  • What it does: Logs the user out of Maverics and propagates logout to all connected apps (if supported) and optionally the IdP.

  • When to use: You want one action to invalidate the session everywhere (Maverics SSO layer and any federated apps).

  • How: A standard redirect to the Maverics logout endpoint that cascades logout events.

2. SAML App Logout

  • What it does: For apps integrated via SAML, Maverics can send a SAML SingleLogoutRequest to that specific app.

  • When to use: If you only want to terminate the session for a SAML app but not necessarily other apps.

  • How: Trigger a logout flow specific to the SAML SP (service provider) through Maverics.

3. OIDC App Logout

  • What it does: For apps integrated with OpenID Connect (OIDC), Maverics can send a RP-Initiated Logout request.

  • When to use: When you want to log the user out from a specific OIDC-based app while still preserving other sessions.

  • How: The app redirects to Maverics with a logout request following OIDC specs, and Maverics clears its session for that app.

4. Proxy App Logout

  • What it does: For apps that sit behind a Maverics reverse proxy (but don’t support SAML or OIDC natively), logout is handled by clearing the Maverics proxy session and any custom cookies tied to that app.

  • When to use: When you have legacy or proxied apps that rely on Maverics for access control.

  • How: A call to the proxy-specific logout endpoint, which tears down the proxy-managed session.

Key Differences at a Glance

Logout Type

Scope

Protocol Used

Typical Scenario

Single Logout

All apps + IdP (optional)

SAML SLO or OIDC Front/Back Channel

User clicks “Log out everywhere”

SAML App Logout

Specific SAML app

SAML SLO

Logout only from one SAML SP

OIDC App Logout

Specific OIDC app

OIDC RP‑Initiated Logout

Logout only from one OIDC RP

Proxy App Logout

Specific proxied app

Proprietary session clear

Logout from legacy/proxied apps

Related articles