IdP-initiated Single Logout

In IdP-initiated single logout (SLO), the user starts at the IdP site, and clicks a link to logout out of the IdP site and every SP site to which there is an SSO session.
The following diagram outlines the IdP-initiated SLO flow.

  1. The user has already SSO’d to one or more service providers.
  2. The user clicks a link at the IdP site to initiate SLO.
  3. The user is logged out of the IdP site.
  4. A logout request is sent to the SP site.
  5. The user is logged out of the SP site.
  6. A logout response is sent to the IdP site.

Note that steps 4 through 6 are repeated for each service provider.