Single logout (SLO) lets an application terminate both its own session and the user's primary IDaaS session in one action. IDaaS implements SLO based on the OpenID Connect (OIDC) protocol. SLO is supported only for self-developed applications and OIDC applications.
SLO is a session management mechanism for federated authentication. If your application requires authentication on every login regardless of whether a primary session exists, configure the prompt parameter in the authorization endpoint instead.
How it works
A complete logout requires two steps:
Close the application session on the application side.
Redirect the user to the IDaaS end session endpoint to terminate the primary IDaaS session.
Call the SLO endpoint
After closing the application session, redirect the user to the end session endpoint provided by IDaaS.
To find the end session endpoint, go to the application details page, click the Sign-In tab and then the SSO subtab, and locate the endpoint in the Application Settings section at the bottom of the page.
When IDaaS prompts for confirmation
IDaaS displays a logout confirmation prompt when it cannot verify that the logout request came from the authenticated user. This happens when either of the following conditions is true:
The
id_token_hintparameter is not included in the request.The
id_tokenvalue does not match the session ID in IDaaS.
If an active IDaaS session exists, IDaaS shows a confirmation prompt:
After the user confirms, or if no active IDaaS session exists, the Logged out message appears:
Redirect after logout
To redirect users to your application after logout instead of showing the Logged out message, configure the Logout Redirect URIs field (post_logout_redirect_uris).
To configure logout redirect URIs:
Go to Applications and find the application in the list.
Click Manage in the Actions column.
Click the Sign-In tab, then the SSO subtab.
Click Show Advanced Settings.
In the Logout Redirect URIs field, enter a complete URI.
You can configure up to five logout redirect URIs as a whitelist. The post_logout_redirect_uri value in each logout request must match one of the configured URIs for the redirect to take effect.
After saving, include post_logout_redirect_uri in logout requests to enable automatic redirection.
Skip the confirmation prompt
To log out without the confirmation prompt, include id_token_hint in the request. This parameter lets IDaaS verify that the request came from the authenticated user.
The following table describes the parameters supported by the SLO endpoint.
| Parameter | Required | Description |
|---|---|---|
id_token_hint | No | Pass the id_token value issued by IDaaS during SSO. This value serves as the session ID and allows IDaaS to verify the logout request, skipping the confirmation prompt. Even if the token has expired, it is still accepted. If the value does not match the session ID in IDaaS, IDaaS falls back to the confirmation prompt. |
post_logout_redirect_uri | No | Required when redirecting users to your application after logout. Pass an HTTPS URI that is preconfigured in the Logout Redirect URIs field. |
state | No | A random string for security verification. If automatic redirection is configured, IDaaS returns this value as a redirect parameter. |
The following is an example logout request:
GET https://example.aliyunidaas.com/login/app/<application_id>/oauth2/logout
?id_token_hint=${id_token}
&post_logout_redirect_uri=${post_logout_redirect_uri}
&state=${state}SLO flowchart
Limitations
IDaaS implements SLO based on OIDC only.
IDaaS supports SLO initiated by service providers (SPs) only.
IDaaS terminates only the primary IDaaS session. Other application sessions that share the same IDaaS session are not terminated. Global SLO is not supported.