| Info |
|---|
What is Single Logout (SLO)? When a user logs out from a particular client application, the user will be automatically logged out from all the other client applications in the same login session. This eliminates the need to log out from each client application one by one. |
...
- When a user is logged out from the RP, the RP redirects to the OP's logout endpoint URL to log out the user at the OP.
The logout endpoint URL can be discovered using the
end_session_endpointparameter in the OIDC Discovery response.Info For more information on OIDC Discovery, see OpenID Connect Discovery.
The logout endpoint URL is in the following format.
Code Block title Format https://<PRODUCT_HOST>:<PRODUCT_PORT>/oidc/logout
Code Block title Example https://localhost:9443/oidc/logout
The logout request sent by the RP to OP includes the following query parameters.
Query Parameter Applicability Description id_token_hint Recommended This is the previously-issued ID token that was passed to the logout endpoint hinting about the user's current authentication session with the RP. This indicates the identity of the user that the RP is requesting to be logged out by the OP.
If the
id_token_hintis passed to the logout endpoint, WSO2 Identity Server identifies the RP to which the token is issued to and redirects the user to thecallback URLof the RP that is configured in WSO2 Identity Server. To learn how to configure the RP in WSO2 Identity Server, see Configurations.If the
id_token_hintis not passed to the logout endpoint, the user is redirected to the default logout page subsequent to a successful logout.post_logout_redirect_uri Optional This is the URL to which the RP requests the end user's user agent be redirected after a logout.
Note The
post_logout_redirect_urishould be registered in WSO2 Identity Server based on the regex option provided for configuring multiple callback URLs.Tip To learn how to configure the RP with multiple callback URLs in WSO2 Server, see Configurations.
state Optional This is an opaque valued that is used by the RP for maintaining the state between the logout request and the callback to the endpoint that is specified in the
post_logout_redirectquery parameter.If the state is included in the logout request, WSO2 Identity Server passes this value back to the RP in the
statequery parameter when redirecting the user agent back to the RP.
OP iframe URL
- The RP may rely on the ID token that comes with an expiration date to expire the RP session. In case the user logs out of OP prior to token expiration, there should be a mechanism for user login status verification at the OP. For this, once the session is established with the authentication request and response the login status at the OP is verified by polling a hidden OP iframe from an RP iframe.
- The OP iframe URL is the URL of the OP iframe that supports cross-origin communications for session state information with the RP, using the HTML5 postMessage API. The page is loaded from an invisible iframe that is embedded in an RP page enabling it to run the OP's security context. The OP iframe URL accepts postMessage requests from the relevant RP iframe and uses postMessage to post back the user login status at the OP.
The OP iframe URL can be discoverd using the
check_session_iframeparameter in the OIDC Discovery response.Info For more information on OIDC Discovery, see OpenID Connect Discovery.
The OP iframe URL is in the following format.
Code Block title Format https://<PRODUCT_HOST>:<PRODUCT_PORT>/oidc/checksession
Code Block title Example https://localhost:9443/oidc/checksession
The RP should request the page from the OP iframe URL with the following query parameter.
Query Parameter Applicability Description client_id Mandatory This is the
client keyof the RP that is configured in WSO2 Identity Server.Tip To learn the step at which the
client keyis generated when configuring the RP in WSO2 Identity Server, see step 2.g under Configurations.
OIDC session management works with two hidden iframes, one at the RP and the other at identity provider. The RP checks the session state by using the RP iframe to continuously poll a hidden identity provider iframe, without causing network traffic. Thereby, the RP is notified when the session state of the end user has changed. The flow of this is as follows.
How it works
- The RP iframe polls the identity provider iframe for a session status.
- The identity provider iframe sends back a post message about the session state as
changed,unchangedorerror. - If the session state is
changed, the RP sends a passive request for re-authentication. - If the end user has logged out from the identity provider, the RP will receive an authentication failure message along with a new session state value. The RP handles this as an end user logout.
- If the end user has not logged out, the RP will receive a successful authentication response along with a new session state value.
...
- When a user is logged out from the RP, the RP redirects to the OP's logout endpoint URL to log out the user at the OP.
The logout endpoint URL can be discovered using the
end_session_endpointparameter in the OIDC Discovery response.Info For more information on OIDC Discovery, see OpenID Connect Discovery.
The logout endpoint URL is in the following format.
Code Block title Format https://<PRODUCT_HOST>:<PRODUCT_PORT>/oidc/logout
Code Block title Example https://localhost:9443/oidc/logout
The logout request sent by the RP to OP includes the following query parameters.
Query Parameter Applicability Description id_token_hint Recommended This is the previously-issued ID token that was passed to the logout endpoint hinting about the user's current authentication session with the RP. This indicates the identity of the user that the RP is requesting to be logged out by the OP.
If the
id_token_hintis passed to the logout endpoint, WSO2 Identity Server identifies the RP to which the token is issued to and the user's session that the RP participated in using thesidin the ID token and redirects the user to thecallback URLof the RP that is configured in WSO2 Identity Server. To learn how to configure the RP in WSO2 Identity Server, see Configurations.If the
id_token_hintis not passed to the logout endpoint, the user is redirected to the default logout page subsequent to a successful logout.When WSO2 Identity Server receives a logout request from the RP, WSO2 Identity Server identifies all other RPs that participated in the same session and triggers back-channel logout requests for them where those RPs are registered in WSO2 Identity Server with a back-channel logout URL.
post_logout_redirect_uri Optional This is the URL to which the RP requests the end user's user agent be redirected after a logout.
Note The post_logout_redirect_uri should be registered in WSO2 Identity Server based on the regex option provided for configuring multiple callback URLs.
Tip To learn how to configure the RP with multiple callback URLs in WSO2 Server, see Configurations.
state Optional This is an opaque valued that is used by the RP for maintaining the state between the logout request and the callback to the endpoint that is specified in the
post_logout_redirectquery parameter.If the state is included in the logout request, WSO2 Identity Server passes this value back to the RP in the
statequery parameter when redirecting the user agent back to the RP.
How it works
Let's take a look at the underlying message flow of the OIDC back-channel logout.
...