> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Logout

When a user signs out, every session layer must be cleared -- the application, the Orchestrator's SSO session, and optionally the upstream identity provider. Incomplete logout leaves active sessions that could be exploited, violates compliance requirements for session termination, or confuses users who expect a clean sign-out. Maverics supports multiple logout flows -- from a global single logout that terminates all sessions to per-app logout for SAML, OIDC, and proxied applications. Logout configuration uses the top-level `singleLogout` key in the Orchestrator config, separate from the `session` block.

## Session Layers

Three session layers may need to be cleared during logout. Each layer is independent -- clearing one does not automatically clear the others.

1. **Application Session Layer** -- The application's own session (cookies, server-side session state). Clearing this is the application's responsibility. For proxied apps, Maverics can clear proxy-injected cookies. For SAML and OIDC apps, the application handles its own session cleanup after receiving a logout signal from the Orchestrator.

2. **Maverics Session Layer** -- The Orchestrator's SSO session (`maverics_session` cookie and server-side session state). Cleared by directing the user to the Maverics logout endpoint configured via `singleLogout.logoutURL`. This is the layer Maverics directly controls.

3. **Identity Provider Session Layer** -- The upstream IdP (Entra ID, Okta, Google, etc.) maintains its own session. Clearing this is optional and depends on security requirements. If not cleared, the IdP may transparently re-authenticate the user on the next login attempt (SSO behavior). Maverics can propagate logout to the IdP via SAML SLO or OIDC logout flows.

## Logout Flows

### Single Logout (SLO)

Scope: All connected apps, plus optionally the IdP. Single Logout is the broadest logout flow -- it terminates the Maverics session and propagates logout to every app that participated in the SSO session. Configured at the top level of the Orchestrator config:

```yaml maverics.yaml theme={null}
singleLogout:
  logoutURL: https://example.com/single-logout
  postLogout:
    redirectURL: https://example.com/index.html
    postLogoutSE: <postLogoutSEName>
```

`logoutURL` is the URL users visit to initiate logout. After logout completes, the user is redirected to `postLogout.redirectURL`. The optional `postLogoutSE` [Service Extension](/reference/orchestrator/service-extensions) hook runs custom logic after the logout flow finishes (e.g., audit logging, cleanup).

Typical scenario: User clicks "Log out everywhere" and expects to be logged out of all applications.

See [Sessions overview -- Single Logout Configuration](/reference/orchestrator/sessions#single-logout-configuration) for the full config reference in context.

### SAML App Logout

Scope: A specific SAML service provider. Maverics sends a SAML `SingleLogoutRequest` to the SP's `logoutServiceURL`. This terminates the session for that one SAML app without affecting other apps or the Maverics session itself.

Configuration is per-app in the SAML provider:

```yaml maverics.yaml theme={null}
samlProvider:
  endpoints:
    singleLogoutService: https://auth.example.com/saml/slo

apps:
  - name: my-saml-app
    type: saml
    logoutServiceURL: https://sp.example.com/logout
```

`singleLogoutService` is the Orchestrator's SLO endpoint that receives logout requests. `logoutServiceURL` is the SP's endpoint where Maverics sends the logout request.

Typical scenario: Logout from one specific SAML application while remaining logged in to others.

See [SAML Provider Reference](/reference/modes/saml-provider) for all SAML configuration fields.

### OIDC App Logout

Scope: A specific OIDC relying party. Uses RP-Initiated Logout -- the RP redirects to the Orchestrator's end-session endpoint. The Orchestrator terminates the session for that RP and redirects to an allowed `logoutRedirectURL`.

```yaml maverics.yaml theme={null}
oidcProvider:
  discovery:
    endpoints:
      endSession: /oidc/end-session

apps:
  - name: my-oidc-app
    type: oidc
    logoutRedirectURLs:
      - https://app.example.com/logout-callback
```

`endSession` is the Orchestrator's end-session endpoint path. `logoutRedirectURLs` lists allowed post-logout redirect URIs for the RP.

Typical scenario: Logout from one OIDC application while remaining logged in to others.

See [OIDC Provider Reference](/reference/modes/oidc-provider) for all OIDC configuration fields.

### Proxy App Logout

Scope: A specific proxied (legacy) application. Clears the Maverics proxy session and any custom cookies set for that app. Uses a proprietary session clear mechanism since proxied apps do not speak SAML or OIDC.

```yaml maverics.yaml theme={null}
apps:
  - name: legacy-app
    type: proxy
    logout:
      logoutURL: /logout
      postLogoutRedirectURL: https://app.example.com/
```

`logoutURL` is the path on the proxied app that triggers logout. `postLogoutRedirectURL` is where the user goes after the proxy session is cleared.

Typical scenario: Logout from a legacy or proxied application that does not support federated logout protocols.

See [HTTP Proxy Reference](/reference/modes/http-proxy) for all proxy logout configuration fields.

## Key Differences

| Logout Type      | Scope                     | Protocol                            | Typical Scenario                 |
| ---------------- | ------------------------- | ----------------------------------- | -------------------------------- |
| Single Logout    | All apps + IdP (optional) | SAML SLO or OIDC Front/Back Channel | User clicks "Log out everywhere" |
| SAML App Logout  | Specific SAML app         | SAML SingleLogoutRequest            | Logout from one SAML SP          |
| OIDC App Logout  | Specific OIDC app         | RP-Initiated Logout                 | Logout from one OIDC RP          |
| Proxy App Logout | Specific proxied app      | Proprietary session clear           | Logout from a legacy/proxied app |

## Related Pages

<CardGroup cols={2}>
  <Card title="Sessions" icon="user-clock" href="/reference/orchestrator/sessions">
    Session configuration, lifetime settings, and dynamic expiration
  </Card>

  <Card title="Service Extensions" icon="code" href="/reference/orchestrator/service-extensions">
    postLogoutSE hook and custom API endpoints
  </Card>

  <Card title="SAML Provider" icon="stamp" href="/reference/modes/saml-provider">
    SAML SLO endpoint and per-app logout configuration
  </Card>

  <Card title="OIDC Provider" icon="openid" href="/reference/modes/oidc-provider">
    OIDC end-session and RP-initiated logout
  </Card>
</CardGroup>
