Single logout (SLO) refers to the global logout initiated by an application. When you logged on to an application by implementing single sign-on (SSO) from Identity as a Service (IDaaS) and then want to log out, you can initiate a global logout on the application to terminate the application sessions as well as the primary IDaaS logon session. IDaaS implements SLO based on the OpenID Connect (OIDC) protocol. Currently, you can log out of only self-developed applications and OIDC applications by using SLO.
SLO is a session management system for federated authentication. If your application requires your authentication for each logon regardless of whether a primary session exists, you can configure the prompt parameter in the authorization endpoint to prompt you to complete authentication upon each logon.
Call the SLO endpoint
When you request a logout, you need to initiate a redirect request to the end session endpoint provided by IDaaS after the application session is closed.
The administrator can obtain the end session endpoint by performing the following steps: Click the name of the application to go to the application details page, click the Sign-In tab and then the SSO subtab, and then find the end session endpoint in the Application Settings section in the lower part of the page.
Redirecting to this endpoint can trigger SLO. In this case, IDaaS is unable to determine whether the SLO request is valid and therefore requires you to confirm the logoff action.
This manual logout process can be skipped. See the instructions below.
If a logged-on IDaaS session exists, IDaaS prompts you about the logout action and asks you to confirm logout, as shown in the following figure.
If you confirm logout in the previous step, or no logged-on IDaaS session exists, the Logged out message appears, as shown in the following figure.
Automatic redirection upon logout
If you want to be redirected to the application page instead of being prompted the "Logged out" message after SLO is complete, you can configure the Logout Redirect URIs field (post_logout_redirect_uris).
The administrator can click Applications, find this application in the application list, and then click Manage in the Actions column corresponding to the application. On the page that appears, click the Sign-In tab and then the SSO subtab. Click Show Advanced Settings, find the Logout Redirect URIs field, and then enter a complete URI for redirecting to the application.
Up to five logout redirect URIs can be configured as a whitelist. The value of the post_logout_redirect_uris parameter that is contained in the logout request sent to the SLO endpoint must be included in this whitelist for the redirection to take effect.
After the configuration is saved, you can include the post_logout_redirect_uris parameter in the request sent to the SLO endpoint to implement redirection upon logout.
Automatic logout
To log out and redirect to the application page without manual confirmation, include the id_token_hint parameter in the request sent to the SLO endpoint after you configure the Logout Redirect URIs field.
The following table describes the parameters supported by the SLO endpoint.
Parameter | Required | Description |
id_token_hint | No | This parameter is required to implement automatic logout. It verifies whether a logout request is valid. Pass the value of Note If it differs from the session ID in IDaaS, manually confirm the logout. This limit is a security design in the OIDC protocol specifications to prevent malicious logout. |
post_logout_redirect_uris | No | This parameter is required when you want to implement automatic redirection upon logout. Pass in an HTTPS URI for redirecting to the application upon logout. This URI must be preconfigured in the Logout Redirect URIs field on the application management page of IDaaS. |
state | No | A random string. If automatic redirection is configured and this parameter is passed to IDaaS, this parameter is returned to the application as a redirect parameter. This parameter is used for security verification. |
The following example shows a request sent to the SLO endpoint:
GET https://example.aliyunidaas.com/login/app/<application_id>/oauth2/logout
?id_token_hint=${id_token}
&post_logout_redirect_uri=${post_logout_redirect_uri}
&state=${state} SLO flowchart
The SLO feature in IDaaS has the following limits:
IDaaS can implement SLO based on only OIDC.
IDaaS supports SLO initiated only by service providers (SPs).
IDaaS logs out only applications of the primary IDaaS logon session and does not log out other logged-on applications. In other words, global SLO is not implemented.