Actions when the user logs out

This article explains what happens in Airlock IAM when a user logs out using the logout button and what happens if a user quits without signing out (e.g. by closing the browser or the application).

When a user signs out of a session, i.e., by clicking the logout button, Airlock IAM does not only have to terminate the corresponding HTTP session but also needs to clean up other artifacts created during the session. These artifacts may include Remember-Me cookies, OAuth tokens, SAML sessions, representee sessions, etc. To keep track of what to do when end-users explicitly log out, IAM uses its logout actions concept.

The following table lists examples of different logout actions for a number of authentication use cases:

Use case

Logout actions

When user quits without logout

  • The Remember-Me cookie is invalidated on IAM.
  • The Remember-Me cookie is used to skip one or more authentication steps until it is invalidated on IAM or it times out.
  • No action.
    (The Remember-Me cookie is accepted by IAM until its configured expiration date.)
  • No action.
    (The Remember-Me cookie is accepted by IAM until its configured expiration date.)
  • With SAML 2.0, IAM (as IdP) terminates the user session and all sessions of other session providers involved in the SAML single sign-on session.
  • The IAM HTTP session is terminated after the Gateway timeout.
  • The timeout session behavior of the involved session providers depends on their individual configuration.
  • The sessions of the representer and representee are terminated and the representer is redirected to the after-logout page.
  • Both HTTP sessions are terminated after a timeout.
  • Depending on the Airlock IAM configuration, the logout deletes all OAuth/OIDC tokens of the user.
  • When the Airlock IAM HTTP session is terminated e.g. after a timeout. The OAuth/OIDC session remains valid.

Authorization codes, access tokens, and refresh tokens should be configured according to our OAuth and OIDC security best practices.

  • When the user logs out of the web app/back-end application, IAM (as OIDC Relying Party) terminates the HTTP session and redirects the user to the logout endpoint of the OpenID Provider.
  • The IAM HTTP session is terminated after the timeout.

The validity of the OpenID provider session depends on the provider's configuration.

Airlock Gateway Logout Propagation can interfere with the user logout process and should not be used in most of the use cases listed. For example, if Airlock Gateway Logout Propagation is used with the Remember-Me keep me logged in configuration, the propagated logout will cause Airlock IAM to delete the Remember-Me cookie. This would render the keep me logged in function useless.