# SAML Single Logout The SAML 2.0 single logout (SAML SLO) protocol allows identity providers to terminate sessions across a user's applications nearly simultaneously with a single logout request. SAML SLO enabled in Immuta can minimize security risks by terminating abandoned sessions after a timeout event occurs or after a user logs out of their identity provider or another application. Once users are logged out of Immuta, they must re-authenticate to log back in. ## Requirements * Immuta APPLICATION\_ADMIN permission * An identity provider that supports the SAML protocol. See this list of [supported identity providers and their protocols](https://documentation.immuta.com/2024.2/people/section-contents/identity-managers#iam-solutions-support-matrix). ## Logout processes There are two logout processes for SAML SLO: * [Application-initiated logout](#user-initiates-logout-from-immuta): A user logs out from a service provider. * [Identity-provider-initiated logout](#user-initiates-logout-from-the-identity-provider): A user logs out from their identity provider. The following objects are referenced in both processes below: * **Principal**: A user, service, or process that must authenticate with a service before being granted access and privileges. * **Service provider** (or session participant): The service or application the principal wants to be granted access to (for example, Immuta). * **Session authority** (or identity management provider): The identity management provider that verifies the principal's identity. See this list of supported [identity providers for examples](https://documentation.immuta.com/2024.2/people/section-contents/identity-managers#iam-solutions-support-matrix). * **Session**: The period during which the principal is authenticated with the service provider; a session is started when a user authenticates their identity using a password or another authentication protocol and the service provider has verified that the user is allowed access to their service. ### User initiates logout from Immuta | SAML SLO protocol | Example | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | | 1. The principal requests to log out of the service provider, or a timeout event initiates a logout request. | 1. User logs out of Immuta. | | 2. The service provider sends a logout request to the session authority. | 2. Immuta sends a logout request to Okta and terminates the user's Immuta session. | | 3. The session authority validates the signature and data in the request and sends a logout request to all the service providers for the current authenticated session (except the service provider from which the logout was initiated). | 3. Okta validates the signature and data in the request and sends a logout request to all the other applications the user is logged in to. | | 4. The service providers terminate the sessions and send logout responses to the session authority indicating that the users has been logged out. | 4. The other applications validate the signature and the data in the request and terminate the user's sessions in their application. | | 5. The session authority ends its own session with the principal. | 5. Okta terminates its own session with the user. | | 6. The session authority sends a logout response message to the service provider from which the logout was initiated. | 6. Okta sends a logout response message to Immuta. | ### User initiates logout from the identity provider | SAML SLO protocol | Example | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | | 1. The principal requests to log out of the session authority, or a timeout event initiates a logout request. | 1. User logs out of Okta. | | 2. The session authority validates the signature and data in the request and sends a logout request message to all the service providers for the current authenticated session. | 2. Okta validates the signature and data in the request and sends a logout request to all applications the user is logged in to. | | 3. The service providers validate the signature and data in the request and terminate the sessions. | 3. Immuta and other applications validate the signature and data in the request and terminate the user's sessions. | | 4. The service providers terminate the sessions and send logout responses to the session authority indicating that the users has been logged out. | 4. Immuta and other applications send a logout response to Okta to indicate the user has been logged out. | | 5. The session authority ends its own session with the principal. | 5. Okta terminates its own session with the user. | ## Supported identity providers Immuta's SAML SLO support has been tested with the following identity providers: * Key Cloak * Microsoft Entra ID * Okta[^1] See your identity provider's documentation to determine whether or not your provider supports SAML SLO. For a list of identity providers and protocols supported by Immuta, see the [identity management support matrix](https://documentation.immuta.com/2024.2/people/section-contents/identity-managers#iam-solutions-support-matrix). ## Consideration Immuta cannot ensure that other service providers will log out, as Immuta has no control over those applications. [^1]: Okta only supports [application-initiated SAML SLO](#logout-processes).