Configuring Single Logout (SLO) using SAML Authentication

In the SSO environment, you can do a single logout to log out from all applications to which you were authenticated with the same identity provider.

Steps for configuring Identity Provider-Initiated SAML Single Logout

Configure Single Logout domain under ACCESS CONTROL > Authentication Policies > Edit Authentication > SAML SP Configuration > Advanced Configuration.
Create the authorization policy for the configured Single Logout domain. You can skip this step if you already have an authorization policy for Single Logout domain.
Ensure that all the authorization policies for SAML authentication service have the same digest algorithm (any SHA1, SHA256 or none).

SAML Single Logout can be initiated in two ways:

Make sure the following is configured before initiating SAML single logout:

The <host> should be part of an authorization policy as created in the logout configuration steps.
The <host> application should be a part of single sign-on before you perform the logout.

Idp-Initiated Single Logout

To perform the logout using Active Directory Federation Service (ADFS) as Idp, do the following:

Enter the following in the web browser: https://<adfshost>/adfs/ls/idpinitiatedsignon.aspx
Select the application on Idp from which you want to log out.
Click the Sign Out button that has this text next to it: Sign out from all the sites that you have accessed.

SP-Initiated Single Logout

SP-Initiated Single Logout can be done in the following way:

Enter the following in the web browser: https://<host>/saml.sso/login?LOGOUT Example: https://www.abc.com/saml.sso/login?LOGOUT.

In the multiple Idp environment, if different identity providers are selected for authenticating different applications (i.e., the applications are not in the SSO environment/setup), then using the above LOGOUT URL in the web browser performs a normal logout from the Identity Provider instead of Single Logout.