Single logout (SLO)

Prev Next

Single logout can be used to logout users from the orchestrator and its dependent IDPs. An example sequence diagram of the SLO flow can be found below.

By default, the orchestrator does the following upon logout:

  • Expires all cookies associated with the request

  • Evicts the session

  • Logs the user out of the IDPs associated with the session

SLO functionality may be disrupted if the orchestrator's config is reloaded or the orchestrator is restarted. During a config reload or orchestrator restart event, existing sessions will be terminated which inhibits federated logouts. To mitigate the risk of users not being logged out at federated IDPs, set a short session lifetime.

Configuration options

Logout URL

logoutURL is the endpoint clients call to trigger a logout. This endpoint is hosted by the orchestrator and must reside on the same domain.

Ensure all connectors that are used as an IDP define the necessary logout related fields.

Post Logout

postLogout defines optional actions the orchestrator can execute after single-logout is complete.

Post-Logout Redirect URL

redirectURL is an optional field used to define the URL to redirect the client to after the single logout process is complete. If not specified, the client will be shown a message that logout has completed successfully.

Post-Logout Service Extension

postLogoutSE is an optional field used to define a Service Extension that controls the behavior after a logout has occurred. This Service Extension is executed before the redirect to the redirectURL occurs.