<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is to end access to a [Operating System], [Application] or a [website]. 


[{$pagename}] informs the [Operating System], [Application] or a [website] that the current user wishes to end the [session].

Log out is also known as log off, sign off or sign out.

!! Reasons for [{$pagename}]
Reasons for performing [{$pagename}] include:
* [End-User] action
* [Application] [timeout]
* [Identity Provider (IDP)] [timeout]
* [Anomaly Detection] behavior or account compromise
* [Account termination]

!! [{$pagename}] and [Federated Identity Management]
[Single Logout] in [Federated Identity Management] systems presents additional concerns.


Kinds of [{$pagename}] [Messages] in [Federated Identity Management] Systems:
* Request from [Relying Party] to [Identity Provider (IDP)] to log out [End-User]
* Request from [Identity Provider (IDP)] to [Relying Party] to log out [End-User]
** May be sent in parallel to all logged-in [Relying Party]s known to the [Identity Provider (IDP)]
* Chained request to sequentially [Logout Mechanism] series of [Relying Party]s (as used in [SAML])
* Logout confirmation message from [Relying Party] to [Identity Provider (IDP)]
* Logout confirmation message from [Identity Provider (IDP)] to [Relying Party]

Note that hierarchies of [Federated Identity Management] systems may result in an [Relying Party] with one [Identity Provider (IDP)] also being an [Identity Provider (IDP)] to another set of [Relying Party]s


!! [Communication] mechanisms for [{$pagename}] messages
* [Browser]-based [message] delivery methods:
** Redirect from [Relying Party] to [Identity Provider (IDP)]
** GET at [Relying Party] [iframe]
** GET at tiny/hidden [Relying Party] image
** [PostMessage] between [Relying Party] and [Identity Provider (IDP)] frames
** [JavaScript] invocation on [iframe] load
** [iframe]/image loaded notifications within [browser]
** Redirect from [Identity Provider (IDP)] to [Relying Party]
** [Redirection] chain initiated at IdP through all [Relying Party]s to be logged out
* [Back-channel Communication] delivery methods:
** [HTTP GET] or [HTTP POST] from [Identity Provider (IDP)] to [Relying Party]


!! Possible [state] clean-ups at RPs
* User [Session] [State]
** [Cookies]
** [Browser]-based storage (e.g. [HTML5] [LocalStorage], index dB, etc.)
*** Requires JavaScript notification
* Storage in native client (platform-specific and no spec for this)
* [Token Revocation]
** [Access Tokens]
** [Refresh Tokens]
** [Identity Tokens]



!! Possible state clean-ups at IdPs
User [session] [state]
* [Cookies]
* [Tokens]
* Server [database] entries
* List of logged-in [Relying Parties|Relying Party]


!! [{$pagename}] and [Auditing] Information
* IdPs may keep a log of when &amp; where end-users logged in and out
* May be used for service operator [logging] and [auditing]
* May be used by [End-User] to log out undesired [sessions]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [What Does Logout Mean?|http://self-issued.info/presentations/What_Does_Logout_Mean_Presentation.pdf|target='_blank'] - based on information obtained 2018-03-30- 





































































































</pre>