Help Center

Menu

Set up IdP-initiated sign-out for Open ID Connect (OIDC)

By default, when a user logs out, only their portal session is terminated. They remain logged into the identity provider. If they return to the portal, they may be silently re-authenticated without having to re-enter their credentials.

IdP-initiated logout (RP-Initiated Logout) extends the OIDC portal logout flow to also cancel the user’s session at the identity provider. When enabled, logging out of the portal will:

  1. End the portal session.

  2. Redirect you to the identity provider’s end session endpoint.

  3. Cancel the identity provider session for that user.

  4. Redirect you back to a pre-configured URL (the identity provider logout redirect path).

Only enable this if you explicitly need the identity provider session terminated on portal logout. For most setups, the default portal-only logout is what users expect.

Before you start

  • You have checked that your OIDC provider offers these features:

    • RP-Initiated Logout.

    • Allows you to register a Post Logout Redirect URI (sometimes called Verified logout URL, Sign-out redirect URI, or Allowed logout URLs).

  • You have set up OIDC portal authentication as described in Set up portal authentication using Open ID Connect (OIDC).

  • You have set up a sign-out page and have registered this relative path with your OIDC provider.

    Sign-out may fail, or the user may not be redirected back to your portal if the relative path is not registered.

Steps

To set up IdP-initiated sign-out for OIDC:

  1. Navigate to Administration  Portal Authentication  DOMAIN

    DOMAIN is the website domain that hosts the portal for which OIDC has already been configured.

  2. Click the edit (Edit settings) icon to the far right of the row for the chosen domain.

  3. Populate the IdP logout redirect path field with a relative path on your portal domain.

    Examples: /logout-success, /, /goodbye.

  4. Click the Save changes button to complete the path mapping process.