Orchestrator reference
Configuration reference
Global settings
Single logout (SLO)

Single logout (SLO)

Single logout can be used to logout users from the orchestrator and its dependent IDPs. An example sequence diagram of the SLO flow can be found below.

single logout sequence_diagram

By default, the orchestrator does the following upon logout:

  • Expires all cookies associated with the request
  • Evicts the session
  • Logs the user out of the IDPs associated with the session
⚠️
SLO functionality may be disrupted if the orchestrator’s config is reloaded or the orchestrator is restarted. During a config reload or orchestrator restart event, existing sessions will be terminated which inhibits federated logouts. To mitigate the risk of users not being logged out at federated IDPs, set a short session lifetime.

Configuration options

Logout URL

logoutURL is the endpoint clients call to trigger a logout. This endpoint is hosted by the orchestrator and must reside on the same domain.

ℹ️
Ensure all connectors that are used as an IDP define the necessary logout related fields.

Post Logout

postLogout defines optional actions the orchestrator can execute after single-logout is complete.

Post-Logout Redirect URL

redirectURL is an optional field used to define the URL to redirect the client to after the single logout process is complete. If not specified, the client will be shown a message that logout has completed successfully.

Post-Logout Service Extension

postLogoutSE is an optional field used to define a Service Extension that controls the behavior after a logout has occurred. This Service Extension is executed before the redirect to the redirectURL occurs.

Example Configurations

Base Configuration 

singleLogout:
  logoutURL: https://idp.enterprise.com/single-logout
  postLogout:
    redirectURL : https://enterprise.com/index.html

postLogoutSE Service Extension

This Service Extension enables the user to add custom behavior as part of the single logout experience. It is executed after the logout with the IDPs occur but before the redirect to redirectURL.

If not defined, the orchestrator will use the default behavior of dropping all the cookies associated in that request.

Below is an example of dropping a specific cookie as part of the single logout process.

singleLogout:
  logoutURL: https://idp.enterprise.com/single-logout
  postLogout:
    redirectURL : https://enterprise.com/index.html
    postLogoutSE:
      funcName: PostLogout
      file: /etc/maverics/extensions/postLogout.go

/etc/maverics/extensions/postLogout.go

package main

import (
	"net/http"

	"maverics/log"
	"github.com/strata-io/service-extension/orchestrator"
)

func PostLogout(
	api orchestrator.Orchestrator,
	rw http.ResponseWriter,
	req *http.Request,
) {
	log.Info("msg", "starting postLogoutSE")
	for _, c := range req.Cookies() {
		if c.Name == "storage" {
			http.SetCookie(rw, &http.Cookie{
				Name:   c.Name,
				Path:   "/",
				MaxAge: -1,
			})
		}
	}
	log.Info("msg", "successfully completed postLogoutSE")
}
Sessions and user stateCaches