SAML Single Logout
The SAML 2.0 single logout (SAML SLO) protocol allows identity providers to terminate sessions across a user's applications nearly simultaneously with a single logout request.
SAML SLO enabled in Immuta can minimize security risks by terminating abandoned sessions after a timeout event occurs or after a user logs out of their identity provider or another application. Once users are logged out of Immuta, they must re-authenticate to log back in.
Requirements
- Immuta APPLICATION_ADMIN permission
- An identity provider that supports the SAML protocol. See this list of supported identity providers and their protocols.
Logout processes
There are two logout processes for SAML SLO:
- Application-initiated logout: A user logs out from a service provider.
- Identity-provider-initiated logout: A user logs out from their identity provider.
The following objects are referenced in both processes below:
- Principal: A user, service, or process that must authenticate with a service before being granted access and privileges.
- Service provider (or session participant): The service or application the principal wants to be granted access to (for example, Immuta).
- Session authority (or identity management provider): The identity management provider that verifies the principal's identity. See this list of supported identity providers for examples.
- Session: The period during which the principal is authenticated with the service provider; a session is started when a user authenticates their identity using a password or another authentication protocol and the service provider has verified that the user is allowed access to their service.
User initiates logout from Immuta
| SAML SLO protocol | Example |
|---|---|
| 1. The principal requests to log out of the service provider, or a timeout event initiates a logout request. | 1. User logs out of Immuta. |
| 2. The service provider sends a logout request to the session authority. | 2. Immuta sends a logout request to Okta and terminates the user's Immuta session. |
| 3. The session authority validates the signature and data in the request and sends a logout request to all the service providers for the current authenticated session (except the service provider from which the logout was initiated). | 3. Okta validates the signature and data in the request and sends a logout request to all the other applications the user is logged in to. |
| 4. The service providers terminate the sessions and send logout responses to the session authority indicating that the users has been logged out. | 4. The other applications validate the signature and the data in the request and terminate the user's sessions in their application. |
| 5. The session authority ends its own session with the principal. | 5. Okta terminates its own session with the user. |
| 6. The session authority sends a logout response message to the service provider from which the logout was initiated. | 6. Okta sends a logout response message to Immuta. |
User initiates logout from the identity provider
| SAML SLO protocol | Example |
|---|---|
| 1. The principal requests to log out of the session authority, or a timeout event initiates a logout request. | 1. User logs out of Okta. |
| 2. The session authority validates the signature and data in the request and sends a logout request message to all the service providers for the current authenticated session. | 2. Okta validates the signature and data in the request and sends a logout request to all applications the user is logged in to. |
| 3. The service providers validate the signature and data in the request and terminate the sessions. | 3. Immuta and other applications validate the signature and data in the request and terminate the user's sessions. |
| 4. The service providers terminate the sessions and send logout responses to the session authority indicating that the users has been logged out. | 4. Immuta and other applications send a logout response to Okta to indicate the user has been logged out. |
| 5. The session authority ends its own session with the principal. | 5. Okta terminates its own session with the user. |
Supported identity providers
Immuta's SAML SLO support has been tested with the following identity providers:
- Key Cloak
- Microsoft Entra ID
- Okta1
See your identity provider's documentation to determine whether or not your provider supports SAML SLO. For a list of identity providers and protocols supported by Immuta, see the identity management support matrix.
Consideration
Immuta cannot ensure that other service providers will log out, as Immuta has no control over those applications.
-
Okta only supports application-initiated SAML SLO. ↩