Single logout (SLO)
SAML Single logout (SLO)

Besides techniques for Single Sign-On SAML also defines two techniques for Single Logout (SLO) that are supported by Airlock IAM:

IDP-initiated SLO

With IDP-Initiated SLO the initial logout process is started on the Airlock IAM-IDP:

27822869.png
  • 1.
    A logout is started on the Airlock IAM IDP.
  • 2.
    The browser is redirected to the the first SP for logout and is always redirected back to the IDP, no matter if the session with SP-1 was still active.
  • 3.
    The browser is redirected to the the second SP for logout and is always redirected back to the IDP, no matter if the session with SP-2 was still active.
  • (at this point further logouts on further SPs could be performed, but they were omitted in the figure for simplicity, however logouts are only performed to SPs the user previously got an Assertion for).

  • 4.
    When after the last logout the browser returns to the Airlock IAM-IDP the after-logout-page is returned by the Airlock IAM-IDP.

SP-initiated SLO

27822878.png
  • 1.
    A Single-Logout is initiated on one of the SPs (here SP-1).
  • 2.
    The SP sends a "Logout Request" via the browser to the Airlock IAM-IDP.
  • 3.
    The Airlock IAM-IDP performs the logout on SP-2 (and any further SPs which always redirect back to the IDP).
  • 4.
    Now the user is logged out locally on the IDP and the browser is redirected back to the initiating SP-1 with a final "Logout Response" confirming that the Single-Logout is completed.
  • 5.
    The after-logout-page is sent to the browser by the SP-1