In IdP-initiated single logout (SLO), the user starts at the IdP site, and clicks a link to logout out of the IdP site and every SP site to which there is an SSO session.
The following diagram outlines the IdP-initiated SLO flow.
- The user has already SSO’d to one or more service providers.
- The user clicks a link at the IdP site to initiate SLO.
- The user is logged out of the IdP site.
- A logout request is sent to the SP site.
- The user is logged out of the SP site.
- A logout response is sent to the IdP site.
Note that steps 4 through 6 are repeated for each service provider.