Single logout (SLO) refers to the global logout initiated by an application.
When a user who logs on to an application by implementing single sign-on (SSO) from Identity as a Service (IDaaS) wants to log out, the user can initiate a global logout on the application to terminate the application sessions as well as the primary IDaaS logon session. IDaaS implements SLO based on the OpenID Connect (OIDC) protocol. Currently, users can log out of only self-developed applications and OIDC applications by using SLO.
SLO is a session management system for federated authentication. If your application requires user authentication for each logon regardless of whether a primary session exists, you do not need to implement SLO. You can configure the prompt parameter in the authorization endpoint to prompt users to complete authentication upon each logon.
Call the SLO endpoint
When a user requests a logout, you need to initiate a redirect request to the end session endpoint provided by IDaaS after the application session is closed.
The administrator can obtain the end session endpoint by performing the following steps: Click the name of the application to go to the application details page, click the Sign-In tab and then the SSO subtab, and then find the end session endpoint in the Application Settings section in the lower part of the page.
Redirecting to this endpoint can trigger SLO. In this case, IDaaS is unable to determine whether the SLO request is valid and thus requires the user to confirm the logout action. (This manual logout process can be skipped. See the instructions below.)
If a logged-on IDaaS session exists, IDaaS prompts the user about the logout action and asks the user to confirm logout, as shown in the following figure.
If the user confirms logout in the previous step, or no logged-on IDaaS session exists, the "Logged out" message appears, as shown in the following figure.
Automatic redirection upon logout
If you want the user to be redirected to the application page instead of being prompted the "Logged out" message after SLO is complete, you can configure Logout Redirect URIs (post_logout_redirect_uri
).
The administrator can click Applications, find this application in the application list, and then click Manage in the Actions column corresponding to the application. On the page that appears, click the Sign-In tab and then the SSO subtab. Click Show Advanced Settings, find the Logout Redirect URIs field, and then enter a complete URI for redirecting to the application.
Up to five logout redirect URIs can be configured as a whitelist. The value of the post_logout_redirect_uri
parameter that is contained in the logout request sent to the SLO endpoint must be included in this whitelist for the redirection to take effect.
After the configuration is saved, you can include the post_logout_redirect_uri
parameter in the request sent to the SLO endpoint to implement redirection upon logout.
Automatic logout (no manual confirmation required)
If you want the user to log out and be redirected to the application page without going through the manual confirmation process to improve user experience, you must include an additional parameter id_token_hint
in the request sent to the SLO endpoint after Logout Redirect URIs are configured.
The following table describes the parameters that are supported by the SLO endpoint.
Parameter | Required | Description |
id_token_hint | No | This parameter is required when you want to implement automatic logout. It is used to verify whether a logout request is valid. Pass in a valid id_token value that is issued by IDaaS upon SSO.
|
post_logout_redirect_uri | No | This parameter is required when you want to implement automatic redirection upon logout. Pass in an HTTPs URI for redirecting to the application upon logout. This URI must be preconfigured in the Logout Redirect URIs field on the application management page of IDaaS. |
state | No | A random string. If automatic redirection is configured and this parameter is passed to IDaaS, this parameter is returned to the application as a redirect parameter. This parameter is used for security verification. |
The following example shows a request sent to the SLO endpoint:
GET https://example.aliyunidaas.com/login/app/<application_id>/oauth2/logout
?id_token_hint=${id_token}
&post_logout_redirect_uri=${post_logout_redirect_uri}
&state=${state}
Limits
IDaaS has the following limits on SLO:
IDaaS can implement SLO based on only OIDC.
IDaaS supports SLO initiated only by service providers (SPs).
IDaaS logs out only applications of the primary IDaaS logon session and does not log out other logged-on applications. In other words, global SLO is not implemented.