Single logout is a form of logout which includes termination of all local sessions and a global session opened for a specific user. Single logout is invoked only by authorized users. It requires from an SP and IdP to perform specific actions in a specific order. This communication model is briefly described this section.
First, a user asks an SP to initiate single logout. The SP closes the user's local sessions and sends a <LogoutRequest> message to IdP. Using the message contents, IdP finds out which SPs have local sessions for the user, and sends <LogoutRequest> to each of them. Each SP terminates all local sessions opened for the user, and sends a <LogoutResponse> message back to IdP. If all local sessions are successfully closed, IdP closes the user's global session and issues a <LogoutResponse> message to the original requesting SP. If single logout failed, IdP still issues <LogoutResponse> with notification about partial logout, but does not close the global session.
This diagram represents the described above model:
For details on the graphical conventions used in this diagram, refer to the Graphical Conventions section.
It is up to developers to decide whether they want build single logout into their applications/services or not. For details on how to add this functionality, refer to the Integrating Into SSO System section.