How to configure Single Logout (SLO)
Single Logout (SLO) provides seamless termination of connected service providers (SPs) within the corporate SSO ecosystem when the user logs out of an SP.
For example, in a healthcare setting, when a nurse logs out of a patient records system, SLO logs them out of all connected healthcare applications. This protects patient data and privacy.
Read on to learn how to enable SLO for an Identity Platform application.
If you'd like to learn more about SAML Logout, see How to configure SAML Logout.
Applies to
SecureAuth Identity Platform release 24.04 or later.
Use cases
The following use cases show how Single Logout (SLO) ensures a user named Jane is logged out across many applications. This happens after Jane starts a log out process in one application.
Use case 1: Jane has one user account
User account for Jane: JaneAccount1
Applications: App1 and App2
Data stores: Datastore1 (associated with App1) and Datastore2 (associated with App2)
User login:
JaneAccount1 is logged into App1, which uses Datastore1
JaneAccount1 is logged into App2, which uses Datastore2
Initiating logout:
JaneAccount1 logs out of App1
SLO process:
As soon as JaneAccount1 logs out of App1, it triggers the SLO process.
JaneAccount1 is automatically logged out of App2.
Result: SLO ensures that JaneAccount1 is securely logged out from all associated applications. In this case, those are App1 and App2, which boosts security and user convenience.
Use case 2: Jane has two user accounts
User accounts for Jane: JaneAccount1 and JaneAccount2
Applications: App1 and App2
Data stores: Datastore1 (associated with JaneAccount1 and App1) and Datastore2 (associated with JaneAccount2 and App2)
User login:
JaneAccount1 is logged into App1, which uses Datastore1
JaneAccount2 is logged into App2, which uses Datastore2
Initiating logout:
JaneAccount1 logs out of App1
SLO process:
As soon as JaneAccount1 logs out of App1, it triggers the SLO process.
JaneAccount2 is automatically logged out of App2.
Result: Even though Jane has more than one user account in different applications, logging out from one logs Jane out from the other. This shows how SLO boosts security for different sessions and apps.
Configuration steps
This assumes that you have a SAML application configured in the Identity Platform.
In the left navigation of the Identity Platform, click Application Manager.
Click the pencil icon for the application you want to enable SAML Logout.
The Application Settings page appears.
In the Connection Settings section, click the pencil icon.
In the SAML Logout section, set the following configurations.
SAML Logout URL
Enter the logout URL for the Service Provider (SP).
SAML Request Certificate
Provide the sign certificate from the Service Provider (SP).
SAML Logout Binding
Select a protocol for the logout process.
Selection options are:
HTTP POST – When a user logs out from the application, the SP uses an HTTP POST request to send a logout request message to the IdP.
HTTP Redirect – When a user logs out from the application, the IdP uses an HTTP redirect to send a logout request to the SP.
Single Logout
You must configure all SAML Logout settings for this option to appear.
Use one of the following options:
Slider in the On position (enabled): When a user logs out of this application, they will also be logged out of all linked applications.
Slider in the Off position (disabled): Logging out of this application won't change the user's login status for other applications.
Click Update Settings.
After it saves the application, the Information for Service Providers page appears. You will need this information to complete the configurations on the service provider side.
