What is OIDC Logout
OpenID Connect (OIDC) provides mechanisms for managing user sessions across multiple applications, ensuring a smooth and secure logout process. Front-Channel Logout allows users to log out from all connected applications (Relying Parties or RPs) automatically when they log out from an identity provider (OP/IDP). This method utilizes the user's web browser to send logout requests to each RP, streamlining the process without requiring special embedded frames.
On the other hand, RP-Initiated Logout empowers individual applications to trigger their logout processes with the OP directly. When a user logs out of an RP, the RP can send a request to the OP to also log the user out from its session. This ensures that users are fully logged out from all services they’ve accessed, enhancing security and user experience.
Both mechanisms utilize specific parameters, such as frontchannel_logout_uri in Front-Channel Logout and post_logout_redirect_uri in RP-Initiated Logout, to facilitate communication between the RP and the OP effectively. These approaches work together to provide a comprehensive solution for session management, ensuring that users have control over their logins while maintaining security across interconnected applications.
How to configure it via SPDB
To configure logout for a RP, on the RP landing page of SPDB,
- Select "Configure Logout"
- Register "Frontchannel Logout URI" (required) Upon receiving a logout reuest, RP will clear state associated with the logged-in sessin, including any cookies and HTML5 local storage.
- "Frontchannel Logout Session" (default: true)
If you are implementing RP-initiated Logout and would like to request that the End-User's User Agent to be redirected back to the RP after a logout has been performed, you will need to register "Post Logout Redirect URI" at SPDB. Noted, post-logout redirection is only available when the logout is RP-initiated.
