In SP-initiated single logout (SLO), the user starts at the SP site, and clicks a link to logout out of the IdP site andevery SP site to which there is an SSO session.
The following diagram outlines the SP-initiated SLO flow.
- The user has already SSO’d to one or more service providers.
- The user clicks a link at the SP site to initiate SLO.
- The user is logged out of the SP site.
- A logout request is sent to the IdP site.
- The user is logged out of the IdP site.
- A logout response is sent to the SP site.
Note that the identity provider sends a logout request and expects a logout response from every other service provider apart from the initiating service provider. This occurs between steps 5 and 6.