In the SSO environment, you can do a single logout to log out from all applications to which you were authenticated with the same identity provider.
Steps for configuring Identity Provider-Initiated SAML Single Logout
- Configure Single Logout domain under ACCESS CONTROL > Authentication Policies > Edit Authentication > SAML SP Configuration > Advanced Configuration.
- Create the authorization policy for the configured Single Logout domain. You can skip this step if you already have an authorization policy for Single Logout domain.
- Ensure that all the authorization policies for SAML authentication service have the same digest algorithm (any SHA1, SHA256 or none).
SAML Single Logout can be initiated in two ways:
Make sure the following is configured before initiating SAML single logout:
- The <host> should be part of an authorization policy as created in the logout configuration steps.
- The <host> application should be a part of single sign-on before you perform the logout.
Idp-Initiated Single Logout
To perform the logout using Active Directory Federation Service (ADFS) as Idp, do the following:
- Enter the following in the web browser: https://<adfshost>/adfs/ls/idpinitiatedsignon.aspx
- Select the application on Idp from which you want to log out.
- Click the Sign Out button that has this text next to it: Sign out from all the sites that you have accessed.
SP-Initiated Single Logout
SP-Initiated Single Logout can be done in the following way:
Enter the following in the web browser: https://<host>/saml.sso/login?LOGOUT Example: https://www.abc.com/saml.sso/login?LOGOUT.