SAML single-logout Airlock IAM and SAML single-logout (SLO)

SP-initiated SLO (SPSLO)

By default, if a logout is initiated on a Airlock IAM SP (e.g. by calling .../logout ) the logout is only performed locally on this SP. In this case the user can login again at any time since only the SP session was dropped but not the IDP session.

Therefore to enable SP-Initiated SLO the logout must be performed as follows:

  • If the Airlock IAM instance is only used for a single SP, .../SPSloInit/ must be used for logout.
  • Otherwise the correct SP-MetaAlias (see sp-extended.xml) must be used: .../SPSloInit/metaAlias/sp

Notice that in SP-Initiated SLO the user finally ends up on the after-logout-disclaimer page of the SP. Depending on the use case you have to display a meaningful message there or redirect the user to the IDP's after-logout-disclaimer page from there.

Redundant Identity Providers

Note that if there are multiple IDPs (with the same entity id) behind a Airlock Gateway (WAF) and the originally used IDP fails, SLO cannot be performed to third-party SPs anymore, however the user is correctly logged-out of the IDP and the initiating SP.

IDP-initiated SLO (IDPSLO)

When initiating a logout on a Airlock IAM IDP (e.g. by calling .../logout ), a Single-Logout is automatically performed, thus the user is sent to each SP he has visited during this session but will end up on the IDP's after-logout-disclaimer page again in the end.