Frequently Asked Question: I maintain a web application that uses SAML-based authentication. How do I log people out from my application?
We recommend that you do not put a "logout" feature on your SAML-authenticated application since at best it only clears your application's session state in a given browser. That is, even after a user selects Logout of a given application, when a new window is opened and the user goes back to the application, single-sign-on is still enabled (the user is still authenticated) and can go directly back into the application unless forced reauthentication is required by the application.
If you absolutely require additional assurance for user authentication to your application, we suggest you configure your application to use forced authentication. However, please read the rest of the page for more details on why this might not be a good idea.
Different kinds of sessions
Sessions are usually managed by cookies sent by a web service and stored on a client browser. Here are the two important sessions that you need to keep in mind when understanding SAML SSO logout.
- The Identity Provider (IdP) session: This session is set up when a user authenticates against the Identity Provider (IdP), usually using a username and password followed (sometimes) by Duo. This is the Single Sign-On (SSO) session because once your browser has this session, every time any other Service Provider (SP) sends you to the IdP, the IdP recognizes your session and does not ask you to re-authenticate. (Although if a SP has the "forced authentication" setting turned on, then the IdP will ask you to re-authenticate for that SP.)
- The Service Provider (SP) session: Most web applications using SAML (also called Service Providers or SPs) will create their own session once you have authenticated. This session is only used by the SP that set it.
The problem with "logging out" from SAML SSO
What most people think of when they think of logging out of SAML SSO is that once they have logged out, if they subsequently visit any SAML SSO application they will be asked to authenticate. To accomplish this, the logout would have to do the following:
- Delete the IdP session
- Delete all SP sessions
By itself, number 1 is called "simple logout", while 1 and 2 together is called "Single Logout".
The problem with your application having a logout feature is that while your application can delete its own session, and can redirect the user to a link that will delete the IdP session, your application cannot delete all the other Service Provider sessions. Here is an example of what can happen:
- Jane logs into Service Provider A.
- A little later, Jane logs into Service Provider B.
- Jane goes back to Service Provider A and "logs out".
- Jane leaves her computer alone confident that she has logged out of all applications.
- Eve sits down at Jane's computer and has Jane's authenticated access to application B. Imagine if application B was an HR or financial application!
The only way to completely log out from SAML SSO
As we have seen, the only really reliable way to completely log out from a SAML SSO is to delete all sessions, both the Identity Provider session and all Service Provider sessions. This can usually be accomplished by simply closing your browser.
However, this is not guaranteed in all cases: some browsers can be configured to save sessions even if they are closed and then re-opened. For example, the Google Chrome browser can be set to "Continue where you left off" which preserves sessions across browser restarts.
Furthermore, once people start using certificate-based authentication, for all practical purposes people will never be really logged out. With certificate-based authentication, a user has a long-lived certificate stored on their device which replaces the normal username/password authentication. So, a user with a certificate can log out of your site, but the moment they come back, they will log right back in (although see forced authentication below).
Configuring logout for your site (if you must)
If you decide that you still want some sort of logout feature for your application, we suggest you configure your site with forced authentication. Forced authentication does exactly what is says: even though a user has already authenticated to the Identity Provider, when they come to your site they are forced to authenticate again.
Note that forced authentication goes against the spirit of the "single" in Single Sign-On, and you may annoy your users who will wonder why they are being forced to re-authenticate at your site.
We recommend that your logout page have a link to the IdP's simple logout page with some text saying "If you want to delete the SAML SSO session, please click here". We do not recommend redirecting users to the simple logout page automatically as some users may want to logout of your site but still be able to access other SAML SSO pages without re-authenticating.
Finally, remember that having a logout feature on your site may lead users to believe (incorrectly) they have logged out of all of their SAML-authenticated applications.