Configure SAML Single Logout with Salesforce as the Identity Provider
Configure single logout (SLO) for a SAML service provider. With SAML SLO, users can log out of either Salesforce or the service provider to log out of both of them.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Federated Authentication is available in: All Editions Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions |
| User Permissions Needed | |
|---|---|
| To view the settings: | View Setup and Configuration |
| To edit the settings: | Customize Application AND Modify All Data |
Before you configure SAML SLO, review this information.
- Make sure that the service provider supports SAML SLO.
- This implementation uses connected apps. You can configure SLO when you create and edit a connected app as a developer and distribute it to other orgs. Or you can create and manage SLO for a connected app within your org as an administrator. When you’re editing a connected app as a developer, your changes to the SLO configuration aren’t propagated to the page. As you change settings through connected app management pages, manually copy settings to the app creation page, if desired.
- Salesforce currently supports front-channel SLO only, meaning that SLO redirects must occur in the same browser. Salesforce doesn’t support SLO across different browsers.
- Salesforce generates and sends the session index parameter during single sign-on (SSO) and SLO.
- Some service providers don’t support initiating SLO. In this case, skip to step 6 in the setup. Users are logged out of the service provider when initiated by Salesforce. But logging out of the service provider doesn’t necessarily log the user out of Salesforce.
Before configuring SAML SLO:
- Get the SAML SLO endpoint from the service provider.
- Get the HTTP binding type from the service provider.
- In Setup, in the Quick Find box, enter apps, and then select Manage Connected Apps.
- Next to the connected app that you want to configure for SLO, click Edit. You’re now editing the connected app configuration even though the path is through Manage Connected Apps
- Under Web App Settings, select Enable Single Logout.
- For Single Logout URL, enter the SAML SLO endpoint of the connected app service
provider. The URL must start with https://.
- When Salesforce initiates the logout, it sends the logout request with the session index parameter to this SLO endpoint.
- When the service provider initiates the logout, Salesforce sends the logout response to this SLO endpoint.
- Select the Single Logout Binding type for SLO. The binding type determines where to put
the logout request or logout response in the SAML request. The value is base64 encoded.
The service provider gives you this information.
- For HTTP POST, the LogoutRequest or LogoutResponse is in the request body of the SAML request.
- For HTTP Redirect, the deflated LogoutRequest or LogoutResponse is in the query string of the SAML request.
- To control where users are redirected after they successfully log out, configure logout
page settings.
- For an org, set the logout page URL in your Session Settings. This URL applies to your entire org, not just the connected app. If you don’t set a logout page URL, users are redirected to your My Domain login page when they log out.
- For an Experience Cloud site, set the logout page URL in the site’s Login & Registration settings. If you don’t set a logout page URL, users are redirected to the site login page when they log out.
- Provide the service provider with the Salesforce identity provider SLO endpoint for
your Salesforce org. The service provider uses this endpoint to initiate SLO. The endpoint
has the format
https://MyDomainName.my.salesforce.com/services/auth/idp/saml2/logout
where MyDomainName is your Salesforce domain.
Did this article solve your issue?
Let us know so we can improve!
