Table of Contents
Even though the SAML v2.0 specification has support for Global Logout, you have to use it very very wisely. Just remember that you need to keep the participants to a low number (say upto 5 participants with one IDP).
Global Logout: The user initiates GLO at one service provider which will log out the user at the IDP and all the service providers.
Local Logout: The user logs out of one service provider only. The session at the IDP and other service providers is intact.
The service provider url should be appended with "?GLO=true"
Basically, in the service provider page, have a url that has the query parameter.
Assume, your service provider is http://localhost:8080/sales/, then the url for the global log out would be http://localhost:8080/sales/?GLO=true
The service provider url should be appended with "?LLO=true"
Basically, in the service provider page, have a url that has the query parameter.
Assume, your service provider is http://localhost:8080/sales/, then the url for the local log out would be http://localhost:8080/sales/?LLO=true
When using LLO, you must be aware of some security implications. The user is only disconnect from the service provider from which he logged out, which means that the user's session in the identity provider and others service providers are still active. In other words, the user's SSO session is still active and he is still able to log in in any other service provider. We strongly recommend to always use the Single Logout Profile (GLO).
In the case of LLO, the service provider invalidates the session and forwards to a default logout page (logout.jsp) .Custom logout page can be configured in picketlink.xml page. Please refer to Service Provider Configuration.