Platform Selector


Single Logout


Service Provider-Initiated SLO

Background: In SP-initiated SLO, if the user signs out in Foundry, then that will trigger a request from Foundry to the IDP for the IDP to sign out the user from the same SSO session as well; in some SAML implementations, that would trigger a SLO cascade for the IDP to inform any other SPs to also sign out of the same session.

To enable SP-initiated SLO, in the Foundry IDP setup for your IDP, check the “Also log users out of this provider when logging out of Foundry” checkbox if you want Foundry to send a SAML LogoutRequest to the IDP when the user logs out of their Foundry session; additionally, you must also be sure to have the IDP’s single logout URL entered in the single logout URL property in the IDP setup.

Note that not all identity providers support SP-initiated SLO.


Identity Provider-Initiated SLO

In IDP-initiated SLO, if the user signs out of the IDP, then that will trigger the IDP to send a request to Foundry to log the user out of Foundry.

If your IDP supports IDP-initiated SLO, then no additional configuration is necessary in Foundry but refer to your own IDP’s instructions on how to configure IDP-initiated SLO. At a minimum, in your IDP where you provide the details for the Foundry SP, you will need to specify Foundry’s SLO URL which you can get by viewing your Foundry SAML metadata (see identity provider configuration in Foundry). Your IDP will need the Foundry SLO URL to send a SAML LogoutRequest.

Technically, if desired, you can support IDP-initiated SLO and not allow SP-initiated SLO by unchecking the “Also log users out of this provider when logging out of Foundry” checkbox in the Foundry IDP setup.

Note that not all identity providers support IDP-initiated SLO.


FAQ

Q: What is the single logout URL for Foundry?

A: The Foundry SLO URL is in the SAML metadata file. You can also get the URL by logging into the customer admin portal as an admin user, then go to Settings –> Single Sign-on. Then click View to see the SAML metadata, then look at the SLO URL property. Each organization in Foundry has its own personalized Entity ID, ACS URL and SLO URL, so you must go to this page to see the values for your own organization.