Overview#

Logging Out is to end access to a Operating System, Application or a website.

Logging Out informs the Operating System, Application or a website that the current user wishes to end the session.

Log out is also known as log off, sign off or sign out.

Reasons for Logging Out#

Reasons for performing Logging Out include:

• End-User action
• Application timeout
• Identity Provider (IDP) timeout
• Anomaly Detection behavior or account compromise
• Account termination

Logging Out and Federated Identity Management#

Single Logout in Federated Identity Management systems presents additional concerns.

Kinds of Logging Out Messages in Federated Identity Management Systems:

• Request from Relying Party to Identity Provider (IDP) to log out End-User
• Request from Identity Provider (IDP) to Relying Party to log out End-User
  • May be sent in parallel to all logged-in Relying Partys known to the Identity Provider (IDP)
• Chained request to sequentially Logout Mechanism series of Relying Partys (as used in SAML)
• Logout confirmation message from Relying Party to Identity Provider (IDP)
• Logout confirmation message from Identity Provider (IDP) to Relying Party

Note that hierarchies of Federated Identity Management systems may result in an Relying Party with one Identity Provider (IDP) also being an Identity Provider (IDP) to another set of Relying Partys

Communication mechanisms for Logging Out messages#

• Browser-based message delivery methods:
  • Redirect from Relying Party to Identity Provider (IDP)
  • GET at Relying Party iframe
  • GET at tiny/hidden Relying Party image
  • PostMessage between Relying Party and Identity Provider (IDP) frames
  • JavaScript invocation on iframe load
  • iframe/image loaded notifications within browser
  • Redirect from Identity Provider (IDP) to Relying Party
  • Redirection chain initiated at IdP through all Relying Partys to be logged out
• Back-channel Communication delivery methods:
  • HTTP GET or HTTP POST from Identity Provider (IDP) to Relying Party

Possible state clean-ups at RPs#

• User Session State
  • Cookies
  • Browser-based storage (e.g. HTML5 LocalStorage, index dB, etc.)
    • Requires JavaScript notification
• Storage in native client (platform-specific and no spec for this)
• Token Revocation
  • Access Tokens
  • Refresh Tokens
  • Identity Tokens

Possible state clean-ups at IdPs#

User session state

• Cookies
• Tokens
• Server database entries
• List of logged-in Relying Parties

Logging Out and Auditing Information#

• IdPs may keep a log of when & where end-users logged in and out
• May be used for service operator logging and auditing
• May be used by End-User to log out undesired sessions

More Information#

There might be more information for this subject on one of the following:

• Logout Process
• SAML V2.0
• Single Logout
• Why Use Tokens

---

• [#1] - What Does Logout Mean? - based on information obtained 2018-03-30-