Besides techniques for Single Sign-On SAML also defines two techniques for Single Logout (SLO) that are supported by Airlock IAM:
IDP-initiated SLO
With IDP-Initiated SLO the initial logout process is started on the Airlock IAM-IDP:
- A logout is started on the Airlock IAM IDP.
- The browser is redirected to the first SP for logout and is always redirected back to the IDP, no matter if the session with SP-1 was still active.
- The browser is redirected to the second SP for logout and is always redirected back to the IDP, no matter if the session with SP-2 was still active.
- When after the last logout the browser returns to the Airlock IAM-IDP the after-logout-page is returned by the Airlock IAM-IDP.
(at this point further logouts on further SPs could be performed, but they were omitted in the figure for simplicity, however, logouts are only performed to SPs the user previously got an Assertion for).
SP-initiated SLO
- A Single-Logout is initiated on one of the SPs (here SP-1).
- The SP sends a "Logout Request" via the browser to the Airlock IAM-IDP.
- The Airlock IAM-IDP performs the logout on SP-2 (and any further SPs which always redirect back to the IDP).
- Now the user is logged out locally on the IDP and the browser is redirected back to the initiating SP-1 with a final "Logout Response" confirming that the Single-Logout is completed.
- The after-logout-page is sent to the browser by the SP-1