SSO logout service
If the logout URL is configured in the identity provider settings, the following steps terminate the active user session:
- The end user initiates a logout request at a service provider.
- The service provider forwards the logout request to an identity provider.
- The identity provider validates the logout request.
- The identity provider sends a logout request for the user to all other service providers that the identity provider is aware of that the user has an active security session with.
- The identity provider terminates the user's sessions and sends a response to the original service provider.
- The original service provider informs the user that they have been logged out.
If the logout URL is displayed in the Service Provider settings, the following steps terminate the active user session:
- The end user initiates a logout request at a service provider.
- The service provider terminates any of the user's active sessions that are handled by a third-party service.
- The service provider forwards the logout request to the logout URL.
If the logout URL is not configured for either for identity provider or the service provider, when a user requests a logout, the service provider terminates the user's active session and displays the login page (for the
BlackBerry AtHoc
management system) or the sign out page (for Self Service.) The following table describes the log out flows for the
BlackBerry AtHoc
management system:Log out type | Initiator | IDP logout URL included | Custom logout URL available | Log out behavior |
|---|---|---|---|---|
Sign out or session timeout | SP | Yes | Yes | The IDP session is terminated. The end user is signed off locally and redirected to their organization's SSO login URL. The IDP logout URL is used. |
Sign out or session timeout | SP | Yes | No | The IDP session is terminated. The end user is signed off locally and redirected to their organization's SSO login URL. The IDP logout URL is used. |
Sign out or session timeout | SP | No | Yes | The end user is signed off locally and redirected to the custom logout URL. |
Sign out or session timeout | SP | No | No | The end user is signed off locally and redirected to the organization's SSO login URL. |
Session timeout | IDP | Yes | Yes | The IDP session is terminated. The end user is signed off locally and redirected to the manual login page with a Session Timeout message. |
Session timeout | IDP | Yes | No | The IDP session is terminated. The end user is signed off locally and redirected to the manual login page with a Session Timeout message. |
Sign out or session timeout | IDP | No | Yes | The IDP session is terminated. The end user is signed off locally and redirected to the custom logout URL. |
Session timeout | IDP | No | No | The end user is signed off locally and redirected to the manual login page with a Session Timeout message. |
Sign out | IDP | Yes | Yes | The IDP session is terminated. The end user is signed off locally and redirected to the manual login page. |
Sign out | IDP | Yes | No | The IDP session is terminated. The end user is signed off locally and redirected to the manual login page. |
Sign out | IDP | No | No | The end user is signed off locally and redirected to the manual login page. |
The following table describes the log out flows for Self Service:
Log out type | Initiator | IDP logout URL included | Custom logout URL included | Log out behavior |
|---|---|---|---|---|
Sign out or session timeout | SP | Yes | Yes | The IDP session is terminated. The end user is signed off locally and redirected to the sign out page. |
Sign out or session timeout | SP | Yes | No | The IDP session is terminated. The end user is signed off locally and redirected to the sign out page. |
Sign out or session timeout | SP | No | Yes | The end user is signed off locally and redirected to the custom URL. |
Sign out or session timeout | SP | No | No | The end user is signed off locally and redirected to the sign out page. |
Sign out or session timeout | IDP | Yes | Yes | The IDP session is terminated. The end user is signed off locally and redirected to the sign out page. The Go To Login button is not visible. |
Sign out or session timeout | IDP | Yes | No | The IDP session is terminated. The end user is signed off locally and redirected to the sign out page. The Go To Login button is not visible. |
Sign out or session timeout | IDP | No | Yes | The end user is signed off locally and redirected to the custom URL. |
Sign out or session timeout | IDP | No | No | The end user is signed off locally and redirected to the sign out page. |