Single logout can be used to logout users from the orchestrator and its dependent IDPs. An example sequence diagram of the SLO flow can be found below.
By default, the orchestrator does the following upon logout:
Expires all cookies associated with the request
Evicts the session
Logs the user out of the IDPs associated with the session
SLO functionality may be disrupted if the orchestrator's config is reloaded or the orchestrator is restarted. During a config reload or orchestrator restart event, existing sessions will be terminated which inhibits federated logouts. To mitigate the risk of users not being logged out at federated IDPs, set a short session lifetime.
Configuration options
Logout URL
logoutURL
is the endpoint clients call to trigger a logout. This endpoint is hosted by the orchestrator and must reside on the same domain.
Ensure all connectors that are used as an IDP define the necessary logout related fields.
Post Logout
postLogout
defines optional actions the orchestrator can execute after single-logout is complete.
Post-Logout Redirect URL
redirectURL
is an optional field used to define the URL to redirect the client to after the single logout process is complete. If not specified, the client will be shown a message that logout has completed successfully.
Post-Logout Service Extension
postLogoutSE
is an optional field used to define a Service Extension that controls the behavior after a logout has occurred. This Service Extension is executed before the redirect to the redirectURL
occurs.