This article relates to Single Sign-On (SSO) in Foundry.
Foundry supports single logout initiated by either the identity provider (IDP) or by the service provider (SP) which is Foundry, as long as your identity provider also supports either or both protocols. Be aware that some identity providers support both IDP-initiated and SP-initiated single logout (SLO), some do not support SLO at all, and some support SP-initiated SLO but not IDP-initiated SLO, and vice versa.
Service Provider-Initiated SLO
Background: In SP-initiated SLO, if the user signs out in Foundry, then that will trigger a request from Foundry to the IDP for the IDP to sign out the user from the same SSO session as well; in some SAML implementations, that would trigger a SLO cascade for the IDP to inform any other SPs to also sign out of the same session.
To enable SP-initiated SLO, in the Foundry IDP setup for your IDP, check the “Also log users out of this provider when logging out of Foundry” checkbox if you want Foundry to send a SAML LogoutRequest to the IDP when the user logs out of their Foundry session; additionally, you must also be sure to have the IDP’s single logout URL entered in the single logout URL property in the IDP setup.
Note that not all identity providers support SP-initiated SLO.
Identity Provider-Initiated SLO
In IDP-initiated SLO, if the user signs out of the IDP, then that will trigger the IDP to send a request to Foundry to log the user out of Foundry.
If your IDP supports IDP-initiated SLO, then no additional configuration is necessary in Foundry but refer to your own IDP’s instructions on how to configure IDP-initiated SLO. At a minimum, in your IDP where you provide the details for the Foundry SP, you will need to specify Foundry’s SLO URL which you can get by viewing your Foundry SAML metadata (see identity provider configuration in Foundry). Your IDP will need the Foundry SLO URL to send a SAML LogoutRequest.
Technically, if desired, you can support IDP-initiated SLO and not allow SP-initiated SLO by unchecking the “Also log users out of this provider when logging out of Foundry” checkbox in the Foundry IDP setup.
Note that not all identity providers support IDP-initiated SLO.
Q: We don’t want IDP-initiated SLO with Foundry. How can configure that?
A: This depends on your IDP. There isn’t a way in Foundry to deny or “ignore” an IDP-initiated SLO request. If you don’t want IDP-initiated SLO to happen, then you will need to set up your IDP accordingly. You might be able to accomplish this in your IDP by ensuring that the “SLO URL” setting for the Foundry SP is not populated. Be aware that if you want SP-initiated SLO, however, depending on your IDP, it might be necessary in the SP setup for Foundry to set the Foundry SLO URL, which might have the unintended effect of enabling IDP-initiated SLO also if your users should sign out of your IDP.