1. Log in to Digital Access Admin with an administrator account.

1. In Digital Access Admin, go to Manage Resource Access.
2. Click SAML Federation and select the IDP.
3. Click SAML Federation.
4. Select the Role Identity Provider tab.
5. Check Enable Single Logout.
   
   

Logout flow

When the user clicks on logout from Digital Access, acting as IDP with single logout enabled:

• The logout request will be sent to all the active SP sessions with that IDP.
• In response to this, every SP will send a logout response and log out themselves.
• The IDP will also be logged out.

Logout status

The status of the SP logout, whether it was successful or not, can be seen on the logout page.

Issues

If there is an issue in any of the SPs to logout, close all the browser windows to make sure there is no dangling session.

Logout flow

When any participating SP initiates SLO with Digital Access as IDP:

• The logout request is first sent to Digital Access.
• Once Digital Access receives this request, it will further propagate to other participating SPs (SPs which have SLO endpoint in their metadata).
• These SPs will in turn end their sessions.
• The logout response is then sent to Digital Access from all SPs.
• Digital Access will log itself out and also the SP that initiated the logout.

Issues

• Digital Access, when acting as IDP, will wait for 3 seconds to receive logout responses from the SPs. If it takes longer, it will show that the logout has failed. This timeout period can be increased if there are more SPs in the slo-logoutpage.js.
• If an SP fails to logout due to errors, or if the IDP session is expired, the logout flow will not be completed.

For branding customizations, modify the _slologoutPage.html and _sloResultsPage.html pages.

• For SLO to work end to end, both IDP and all SPs must be configured to support SLO, otherwise various sessions not supporting SLO may not be terminated.
• If any SP returns a logout failure response or if the IDP session is timed out, that would result in a failed SLO.

• In a perfect scenario, SLO can improve the user experience and security by removing the need for end-users to manually log out of all SSO sessions. However, SLO has some significant restrictions and drawbacks, which make it fragile.
• SLO is one of the opaquer parts of the SAML protocol, with only a status code to work from for error messages. If you do not own all Service Providers, then this may be an issue when supporting users.
• Currently Digital Access only supports front channel SLO, which relies on session cookies in browsers. The SLO might also fail depending on the SameSite attribute value.
• Back-channel logout approach is not yet implemented, as it requires a lot of orchestration and additional development effort to implement SOAP-based.
• When DA is configured as IDP and either the same or different instance of DA is registered as one of the SP, the SLO has issues currently. This will be fixed in coming releases.
• For a third party SP initiated SLO to work, it is required to re-import the SP metadata in DA acting as IDP.