Single logout (SLO)

Single logout can be used to logout users from the orchestrator and its dependent IDPs. An example sequence diagram of the SLO flow can be found below.

single logout sequence_diagram

By default, the orchestrator does the following upon logout:

  • Expires all cookies associated with the request
  • Evicts the session
  • Logs the user out of the IDPs associated with the session

Configuration options

Logout URL

logoutURL is the endpoint clients call to trigger a logout. This endpoint is hosted by the orchestrator and must reside on the same domain.

Ensure all connectors that are used as an IDP define the necessary logout related fields.

Post-Logout Redirect URL

postLogoutRedirectURL is an optional field used to define the URL to redirect the client to after the single logout process is complete. If not specified, the client will be shown a message that logout has completed successfully.

Post-Logout Service Extension

postLogoutSE is an optional field used to define a Service Extension that controls the behavior after a logout has occurred. This Service Extension is executed before the redirect to the postLogoutRedirectURL occurs.

Example Configurations

Base Configuration

  postLogoutRedirectURL :

postLogoutSE Service Extension

This Service Extension enables the user to add custom behavior as part of the single logout experience. It is executed after the logout with the IdPs occur but before the redirect to postLogoutRedirectURL.

If not defined, the orchestrator will use the default behavior of dropping all the cookies associated in that request.

Below is an example of dropping a specific cookie as part of the single logout process.

  postLogoutRedirectURL :
    funcName: PostLogout
    file: /etc/maverics/extensions/postLogout.go


package main

import (


func PostLogout(rw http.ResponseWriter, req *http.Request) {
	log.Info("msg", "starting postLogoutSE")
	for _, c := range req.Cookies() {
		if c.Name == "storage" {
			http.SetCookie(rw, &http.Cookie{
				Name:   c.Name,
				Path:   "/",
				MaxAge: -1,
	log.Info("msg", "successfully completed postLogoutSE")