Single Logout (SLO)

Single Logout is the process of ending a user’s authenticated sessions across multiple applications and the identity provider at the same time. When single sign-on creates sessions in several applications from one login event, SLO ensures that a logout in any one of those applications can propagate to all the others.

In OpenID Connect, RP-Initiated Logout lets a relying party redirect the user to the provider’s logout endpoint with a hint identifying the session. The provider ends the session and can notify other relying parties. SAML defines its own SLO protocol using logout request and response messages exchanged between the identity provider and service providers.

SLO is harder to implement reliably than SSO. Applications may be in different tabs, use different session mechanisms, or be offline when the logout notification arrives. Partial logout, where some sessions survive, is a known limitation.

For CIAM, SLO is important when customers expect that logging out of one service ends their session everywhere, protecting shared or public devices.

Sources

• OpenID Connect RP-Initiated Logout 1.0: https://openid.net/specs/openid-connect-rpinitiated-1_0.html