Implement logout with SAML

When your client application has completed a SAML authentication flow where the end user has logged in using a web browser, a user session has been established in the web browser.

If the web browser used by your client application is a standard browser, there may be other applications relying on the same session, and you may be working in a single sign-on (SSO) environment. Applications attached to the same browser session may include other client applications and 10Duke Enterprise tools such as SysAdmin and OrgAdmin.

The end user may start a logout from any of these client applications, or from their profile page provided by the Login Application component, and expect to be logged out from all of them.

To support single logout, your client application needs to be able to start the logout, or log the user out when the logout has been started in another application. See instructions below.

Implementing SAML for your client application from scratch is difficult. There are plenty of libraries available, and we recommend that you find a library suitable for your client application to handle SAML for you.

Before you start

Make sure a logout callback URL has been defined for each of the client applications in SysAdmin.

Start the logout from your application

When the end user starts the logout from your client application, navigate the browser to the logout endpoint at https://<your environment base URL>/user/saml20/signout.

An example request (line breaks added for display purposes):

https://customer.10duke.net/user/saml20/signout
   ?SAMLRequest=fZFBT...
   &RelayState=AnyRelayStateFromClient
   &SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
   &Signature=uw%2BEhZ...

Use the base URL of your 10Duke Enterprise environment. Provide actual values in the request query parameters. In SAMLRequest, provide an encoded SAML logout request (AuthnRequest). In RelayState, provide any value that you want to be sent back to your client application when authentication has been completed and 10Duke Enterprise sends a response back to your client application. In SigAlg and Signature, specify a cryptographic signature for the request.

When the end user has completed the logout in the browser, the browser is sent back to the client application’s (SP’s) logout callback URL.

When the user has been logged out, 10Duke Enterprise uses the browser to send a logout response back to the logout callback URL of your application.

An example response (line breaks added for display purposes):

POST /my-client-logout HTTP/1.1
   Host: {SP_BASE_URL}
   Content-Type: application/x-www-form-urlencoded

   SAMLResponse=PHNhb...
   &RelayState=AnyRelayStateFromClient

From the SAMLResponse parameter, your client application can read the SAML logout response. If you provided RelayState in the request starting the logout, it’s echoed back to you here.

Handle this request as appropriate in your application. Typically this includes cleaning up the user session and displaying a “logout completed” page to the user.

Handle a logout started from another application

When the logout has been started from another application, 10Duke Enterprise submits a request from the browser to the logout callback URL of your application.

An example request (line breaks added for display purposes):

POST /my-client-logout HTTP/1.1
   Host: {SP_BASE_URL}
   Content-Type: application/x-www-form-urlencoded

   SAMLRequest=PHNhb...
   &RelayState=RelayStateFrom10DukeEnterprise

From the SAMLResponse parameter, your client application can read the SAML logout request. The request has a RelayState parameter. It can contain any value, and your application only needs to pass it forward in the next step.

Handle this request as appropriate in your application. Typically this includes cleaning up the user session and redirecting back to 10Duke Enterprise.

Submit a request from the browser back to the 10Duke Enterprise logout endpoint at https://<your environment base URL>/user/saml20/signout.

An example request:

POST /user/saml20/signout HTTP/1.1
   Host: customer.10duke.net
   Content-Type: application/x-www-form-urlencoded

   SAMLResponse=fVFda...
   &RelayState=RelayStateFrom10DukeEnterprise

Use the base URL of your 10Duke Enterprise environment. Return RelayState exactly as you received it from 10Duke Enterprise, echoing back the same parameter value.

You have now handled your part of the logout process. When the whole logout process has been completed, the user is directed back to the application where the logout was started.