In SP-initiated single logout (SLO), the user starts at the SP site, and clicks a link to logout out of the IdP site andevery SP site to which there is an SSO session.
The following diagram outlines the SP-initiated SLO flow.
<v:shapetype id=“_x0000_t75” coordsize=“21600,21600” o:spt=“75” o:preferrelative=“t” path=“m@4@5l@4@11@9@11@9@5xe” filled=“f” stroked=“f”> <v:stroke joinstyle=“miter”> <v:formulas> <v:f eqn=“if lineDrawn pixelLineWidth 0”> <v:f eqn=“sum @0 1 0”> <v:f eqn=“sum 0 0 @1”> <v:f eqn=“prod @2 1 2”> <v:f eqn=“prod @3 21600 pixelWidth”> <v:f eqn=“prod @3 21600 pixelHeight”> <v:f eqn=“sum @0 0 1”> <v:f eqn=“prod @6 1 2”> <v:f eqn=“prod @7 21600 pixelWidth”> <v:f eqn=“sum @8 21600 0”> <v:f eqn=“prod @7 21600 pixelHeight”> <v:f eqn=“sum @10 21600 0”> </v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:formulas> <v:path o:extrusionok=“f” gradientshapeok=“t” o:connecttype=“rect”> <o:lock v:ext=“edit” aspectratio=“t”></o:lock></v:path></v:stroke></v:shapetype><v:shape id=“_x0000_i1025” type=“#_x0000_t75” style=“width:6in; height:317.25pt” o:ole=“”> <v:imagedata src=“file:///C:/Users/gavbr/AppData/Local/Temp/msohtmlclip1/01/clip_image001.emz” o:title=“”></v:imagedata></v:shape>
- The user has already SSO’d to one or more service providers.
- The user clicks a link at the SP site to initiate SLO.
- The user is logged out of the SP site.
- A logout request is sent to the IdP site.
- The user is logged out of the IdP site.
- A logout response is sent to the SP site.
Note that the identity provider sends a logout request and expects a logout response from every other service provider apart from the initiating service provider. This occurs between steps 5 and 6.