SAML (Security Assertion Markup Language) is a widely adopted standard for Single Sign-On (SSO) in enterprise identity federation. Just as SAML SSO simplifies user authentication across multiple systems, SAML Single Logout (SLO) provides a standardized way to terminate sessions across those same systems. Letโs explore how it works and the critical differences between redirect vs POST bindings, SP-initiated vs IdP-initiated logout, and the essential role of the Session Index.
๐ What is SAML Single Logout (SLO)?
SAML Single Logout (SLO) allows a user to log out from one application (Service Provider, or SP) and have that logout propagated to all other applications that the user has accessed during their session. This prevents โorphaned sessionsโ and ensures consistent security behavior across systems.
When SLO is triggered, the identity provider (IdP) or an SP notifies all other connected SPs to terminate the user session. These notifications are based on the SAML LogoutRequest and LogoutResponse messages, which are exchanged using specified bindings.
๐ Redirect Binding vs POST Binding
In SAML SLO, two common bindings are used for transporting messages between SPs and the IdP:
๐ Redirect Binding
- Mechanism: SAML messages are sent through the URL (as query parameters).
- Usage: Typically used for GET requests.
- Advantages: Simple and browser-friendly. No form submission required.
- Limitations: URL length limitations can restrict message size. Less secure due to URL visibility in browser history and logs.
๐จ POST Binding
- Mechanism: SAML messages are transmitted in the body of an HTTP POST request via an auto-submitting HTML form.
- Usage: Ideal when messages are large or security is a priority.
- Advantages: More secure (message not visible in URL). Can handle larger payloads.
- Limitations: Requires a form to be rendered and submitted, making it slightly more complex.
In practice, many implementations support both, and the choice often depends on organizational security requirements and browser behavior.
๐ SP-Initiated vs IdP-Initiated Logout
๐น SP-Initiated Logout
- The logout process starts from a Service Provider.
- The SP sends a
LogoutRequestto the IdP. - The IdP coordinates the logout with other SPs where the user has active sessions.
- Use case: When users explicitly log out from an application they were using.
๐ธ IdP-Initiated Logout
- The logout starts from the Identity Provider.
- The IdP initiates the SLO by sending
LogoutRequests to all participating SPs. - Use case: Admin-triggered logouts, centralized session management, or user logs out directly from the IdP portal.
In both flows, the IdP acts as the central authority to notify SPs and manage the logout lifecycle.
๐งฉ The Role of Session Index
The Session Index is a critical attribute in the SAML assertion issued during login. It uniquely identifies a session established between the SP and the IdP.
During logout, the Session Index is included in the LogoutRequest. It tells the IdP which session to terminate. Without it, the IdP might not know exactly which user session to close, especially if the same user has multiple sessions.
- Session Index in SP-Initiated Logout: The SP provides the Session Index to the IdP, ensuring the correct session is invalidated.
- Session Index in IdP Session Store: Enables efficient mapping of users to SP sessions, allowing full session sweep on logout.
This small but powerful attribute ensures session integrity and precise control over session termination across systems.
โ Summary
SAML SLO is essential for securing federated environments where users access multiple applications through a single identity source. Understanding the differences between Redirect and POST bindings, SP-initiated and IdP-initiated flows, and the function of the Session Index can help ensure a secure and seamless logout experience.
Whether you’re designing an SSO/SLO infrastructure or auditing an existing one, these concepts are foundational to keeping user sessions safe and consistent across your digital ecosystem.