Before you read this article, you need to have some basic understanding on how SAML, SingleSignOn (SSO) and SingleLogout (SLO) works. Follow this article on how SAML 2.0 is configured with Liferay, and this article on how SAML 2.0 SingleLogout works.

Everyone is probably familiar with how SingleSignOn (SSO) works. SingleLogout (SLO) is just the opposite. In an nutshell, it logs you out from all the applications in the current SSO session with one click of a Sign Out button.

When you sign out from an application in a SingleLogout-enabled SAML environment, the user logs out from all the other applications that are registered as Security Providers (SPs) to the same Identity Provider (IdP).

Let’s see how the Liferay SAML plugin accomplishes this SingleLogout:

  1. When user clicks on Sign Out from a Liferay application (Liferay configured as SP), the SAML plugin intercepts the Liferay’s Sign Out url (/c/portal/logout) and checks if the SingleLogout is enabled. It does this by reading the IdP’s metadata information.
  2. If SingleLogout is enabled, Liferay constructs a SAML logout response and sends it to IdP.
  3. IdP then sends logout requests to other SPs registered to it.
  4. SPs processes the logout request and log out successfully one after the other.
  5. SPs sends logout response to IdP about the status of the logout.
  6. IdP finally sends a logout response to Liferay SP.
  7. Liferay SP then processes the logout response from Idp and cleans up the SAML SSO cookies. It then performs the regular Liferay logout procedure.

Cleanup of the SSO cookies is the key. This is the cookie that persists the session between SP and Idp.

Look for my next article on what you can do when the IdP doesn’t support SingleLogout or it’s not your option.