IDP Logout, text asking user whether or not to kill the IDP session

Eric Goodman Eric.Goodman at
Tue Oct 22 12:57:01 EDT 2013

>>As I understand it, I can pass the Logout endpoint a url to redirect 
>>to, but my application would have to identify the IDP that was used, 
>>and then "somehow" obtain the url for its Logout endpoint.

>That's not a SAML logout, that's a Local logout.

>A SAML logout means you either cede UI to the IdP, or you expect to 
>get a LogoutResponse back (turning off the async option we added to 
>distinguish this). You can pass a return parameter to the SP 
>LogoutInitiator and it will be saved as RelayState in the SAML case 
>and redirected to after the response, or used directly in the Local 

Dumb questions: how long does the SAML logout in the SP retain the knowledge of the source IdP? As long as the SP'a session? As long as the DS "which IdP do you use cookie"? I.e., if a user sits idle at an RP page long enough that the RP and SP session "dies", then clicks the "logout" link, will the SP still be able to redirect back to the correct IDP logout link? 

In asking this question I'm assuming that (a) some IdP SSO sessions are actually longer than the SP/RP session and (b) there's some perceived value (e.g., killing the IdP SSO session) that is gained by hitting the IdP SLO URL even if the user is already logged out of the SP/RP locally.

--- Eric 

More information about the users mailing list