Single Logout (SLO)

SAML 2.0 Single Logout Profile terminates sessions across all federated participants - the IdP and every SP with an active session for the user (saml-profiles §4.4). When a user logs out at one participant, LogoutRequest messages are propagated to all other participants to ensure global session termination. SLO uses either front-channel (HTTP-Redirect/POST via browser) or back-channel (SOAP direct communication) bindings.

Try in Looking Glass
XML-BasedFederated Logout

Sequence Diagram

Click any step for details

UserSPIdPOther SPsSPs1User Initiates Logout2Create LogoutRequest3LogoutRequest Sent to IdP4IdP Propagates Logout to All SPs5SPs Terminate Sessions and Respond6IdP Terminates Own Session7Final LogoutResponse to Initiating SP8Logout Complete
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
User Initiates Logout
UserInitiating Party
2
Create LogoutRequest
Initiating PartyInitiating Party
3
LogoutRequest Sent to IdP
Service ProviderIdentity Provider
4
IdP Propagates Logout to All SPs
Identity ProviderOther Service Providers
5
SPs Terminate Sessions and Respond
Service ProvidersIdentity Provider
6
IdP Terminates Own Session
Identity ProviderIdentity Provider
7
Final LogoutResponse to Initiating SP
Identity ProviderInitiating Service Provider
8
Logout Complete
Service ProviderUser

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Core specs

· The specifications that define this protocol.

Security & privacy

· Dedicated security and privacy considerations.