Skip to main content
Logout in Maverics involves clearing up to three independent session layers. Depending on the application type and security requirements, Maverics supports multiple logout flows — from a global single logout that terminates all sessions to per-app logout for SAML, OIDC, and proxied applications. Logout configuration uses the top-level singleLogout key in the Orchestrator config, separate from the session block.

Session Layers

Three session layers may need to be cleared during logout. Each layer is independent — clearing one does not automatically clear the others.
  1. Application Session Layer — The application’s own session (cookies, server-side session state). Clearing this is the application’s responsibility. For proxied apps, Maverics can clear proxy-injected cookies. For SAML and OIDC apps, the application handles its own session cleanup after receiving a logout signal from the Orchestrator.
  2. Maverics Session Layer — The Orchestrator’s SSO session (maverics_session cookie and server-side session state). Cleared by directing the user to the Maverics logout endpoint configured via singleLogout.logoutURL. This is the layer Maverics directly controls.
  3. Identity Provider Session Layer — The upstream IdP (Entra ID, Okta, Google, etc.) maintains its own session. Clearing this is optional and depends on security requirements. If not cleared, the IdP may transparently re-authenticate the user on the next login attempt (SSO behavior). Maverics can propagate logout to the IdP via SAML SLO or OIDC logout flows.

Logout Flows

Single Logout (SLO)

Scope: All connected apps, plus optionally the IdP. Single Logout is the broadest logout flow — it terminates the Maverics session and propagates logout to every app that participated in the SSO session. Configured at the top level of the Orchestrator config:
maverics.yaml
singleLogout:
  logoutURL: https://example.com/single-logout
  postLogout:
    redirectURL: https://example.com/index.html
    postLogoutSE: <postLogoutSEName>
logoutURL is the URL users visit to initiate logout. After logout completes, the user is redirected to postLogout.redirectURL. The optional postLogoutSE Service Extension hook runs custom logic after the logout flow finishes (e.g., audit logging, cleanup). Typical scenario: User clicks “Log out everywhere” and expects to be logged out of all applications. See Local Sessions — Single Logout Configuration for the full config reference in context.

SAML App Logout

Scope: A specific SAML service provider. Maverics sends a SAML SingleLogoutRequest to the SP’s logoutServiceURL. This terminates the session for that one SAML app without affecting other apps or the Maverics session itself. Configuration is per-app in the SAML provider:
maverics.yaml
samlProvider:
  endpoints:
    singleLogoutService: https://auth.example.com/saml/slo

apps:
  - name: my-saml-app
    type: saml
    logoutServiceURL: https://sp.example.com/logout
singleLogoutService is the Orchestrator’s SLO endpoint that receives logout requests. logoutServiceURL is the SP’s endpoint where Maverics sends the logout request. Typical scenario: Logout from one specific SAML application while remaining logged in to others. See SAML Provider Reference for all SAML configuration fields.

OIDC App Logout

Scope: A specific OIDC relying party. Uses RP-Initiated Logout — the RP redirects to the Orchestrator’s end-session endpoint. The Orchestrator terminates the session for that RP and redirects to an allowed logoutRedirectURL.
maverics.yaml
oidcProvider:
  discovery:
    endpoints:
      endSession: /oidc/end-session

apps:
  - name: my-oidc-app
    type: oidc
    logoutRedirectURLs:
      - https://app.example.com/logout-callback
endSession is the Orchestrator’s end-session endpoint path. logoutRedirectURLs lists allowed post-logout redirect URIs for the RP. Typical scenario: Logout from one OIDC application while remaining logged in to others. See OIDC Provider Reference for all OIDC configuration fields.

Proxy App Logout

Scope: A specific proxied (legacy) application. Clears the Maverics proxy session and any custom cookies set for that app. Uses a proprietary session clear mechanism since proxied apps do not speak SAML or OIDC.
maverics.yaml
apps:
  - name: legacy-app
    type: proxy
    logout:
      logoutURL: /logout
      postLogoutRedirectURL: https://app.example.com/
logoutURL is the path on the proxied app that triggers logout. postLogoutRedirectURL is where the user goes after the proxy session is cleared. Typical scenario: Logout from a legacy or proxied application that does not support federated logout protocols. See HTTP Proxy Reference for all proxy logout configuration fields.

Key Differences

Logout TypeScopeProtocolTypical Scenario
Single LogoutAll apps + IdP (optional)SAML SLO or OIDC Front/Back ChannelUser clicks “Log out everywhere”
SAML App LogoutSpecific SAML appSAML SingleLogoutRequestLogout from one SAML SP
OIDC App LogoutSpecific OIDC appRP-Initiated LogoutLogout from one OIDC RP
Proxy App LogoutSpecific proxied appProprietary session clearLogout from a legacy/proxied app

Local Sessions

Session store configuration including single logout settings

Service Extensions

postLogoutSE hook and custom API endpoints

SAML Provider

SAML SLO endpoint and per-app logout configuration

OIDC Provider

OIDC end-session and RP-initiated logout