OIDC Logout

Logout is a process where end user wishes to finish session in the application and wants to make sure that his/hers credentials are safe. Onegini IdP supports different identity providers. Some of them user OpenID Connect protocol. It is possible that a single end user uses multiple OpenID Connect identity providers during a single session (e.g. as a result of step-up). When users wishes to log out, then he/she assumes that all his/hers sessions are ended in all used OpenID Connect identity providers.

The Onegini IdP allows you to logout from all currently used OpenID Connect flavoured identity providers. Those identity providers are:

Prerequisites

If order to perform logout from OpenID Connect you need to have one of the OpenID Connect flavoured identity provider configured with front channel logout enabled. Please refer to specific Identity Provider topic guide for details.

OpenID Connect Front Channel Logout Process

Onegini IdP will use front channel to perform logout from each identity provider. This means that user will be redirected to a specific logout page provided by identity provider and will have to confirm logout action. After logout from all OpenId Connect identity providers is executed, then user will be redirected to:

  • Service Provider in case logout was triggered from SAML Service Provider
  • Identity Provider if logout was triggered from SAML Identity Provider
  • whitelisted url provided by origin parameter in case it was provided
  • logout redirect url set up in Onegini Consumer Identity Access Manager -> Configuration -> General Information -> Redirect to URL after logout. The origin parameter takes precedence over this configuration.
  • login page if none of the above scenarios occurs