Implementing SAML Logout in an application


We’ve implemented SAML Login in our application. We notice that there isn’t a SAML Logout node, is there a way of implementing the logout in a similar way of the SAML Login node?

Thank you in advance.

To log a user out, you need to remove the authorization cookie.

If you used the Azure Active Directory SSO template as the basis for your implementation, you can see in the POST /tl-saml workflow that once the IDP sends a successful log in, the workflow generates a Losant auth token for that user and saves it in the authorization cookie. Once set, all subsequent requests to experience endpoints will receive that cookie and authenticate the user.

You can get an example log out workflow from the Log In template. The Log Out workflow in that template only has a single node that removes the authorization cookie and redirects the user back to the /login endpoint.

Once the cookie is removed, the user will be forced to log in again using your SSO provider.

Hey Brandon, thanks for your answer!

We are actually already removing the authorization in the way you describe it.

Once we log the user out and try to log in with another user with the same domain the application is redirected to the previous user account.

This only happens when we have only one account in the active directory, if there is more than one it shows another account to log in.

Is there a way of configure the the Identity provider some url to do the log out and avoiding that behavior (maybe in the metadata)?

The problem is that deleting the cookie prevents Losant from remembering that user, but the IDP will use a different cookie to remember the user. So when that browser returns to the IDP for authentication, the IDP will assume it’s the same user.

There’s no concept within SAML to log out a user from the IDP itself. Service providers can only log out of their specific apps, they can’t cause the user to log out from the IDP entirely.

To log the user out of your IDP, you’ll need to redirect the user to your IDP’s log out page. You can do this my modify the Endpoint Reply Node to redirect to your IDP instead of redirecting to /login. Many IDPs will support an additional query parameter that can then redirect the user back to your Losant app after the log out has completed.