I want to enable SLO for our service. I set up the SLO endpoint to listen for logout requests from the IdPs. Problem is when we get a request, there’s no UserID attached like there is for the assertion consumer service. We want to invalidate the token for the user that is being logged out, but if we have no UserID, we don’t know which user is being logged out. How would we figure this out? Or is it perhaps that I don’t have a fundamental understanding of the SLO process?
Hi Ben
The SLO will be in the same browser session as the original SSO where you established a local authentication session in your application (ie the same authentication cookie).
This means that when you receive the logout request, it will be in the context of the same logged in user.
You simply log out the currently logged in user locally.