Single logout

If your identity provider supports it, you can set up SAML single logout (SLO). Single logout is only supported by SAML 2.0.

When a user initiates a logout, the identity provider logs the user out of all applications in the current identity provider login session. The logout could be service provider initiated or identity provider initiated although your identity provider might not support both of these methods. Oracle Eloqua supports service provider initiated and identity provider initiated logouts.

Note: Oracle Eloqua does not support single logout with Oracle Eloqua Identity Cloud Service for Salesforce.

SLO requirements

Enabling single logout has the following requirements:

  • You have enabled single sign-on and setup your identity provider. It is recommended that you configure single logout before enabling single sign-on for all of your users. Learn more about SSO with a SAML compliant identity provider.
  • Your identity provider supports single logout. Not all identity providers support single logout. Single logout is only supported by SAML 2.0. Oracle Eloqua does not support single logout with Oracle Eloqua Identity Cloud Service for Salesforce.
  • The identity provider's SAML metadata must use the same logout URL in the Location and ResponseLocation attributes. The SAML specification allows these attributes to be different, but Oracle Eloqua does not support this. 
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
     Location="http://example.example.com:8080/openam/IDPSloRedirect/metaAlias/idp" 
     ResponseLocation="http://example.example.com:8080/openam/IDPSloRedirect/metaAlias/idp" />
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
     Location="http://example.example.com:8080/openam/IDPSloPOST/metaAlias/idp"
     ResponseLocation="http://example.example.com:8080/openam/IDPSloPOST/metaAlias/idp" />
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
     Location="http://example.example.com:8080/openam/IDPSloSoap/metaAlias/idp" />
  • The identity provider must be configured to identify users in the subject’s name identifier. Oracle Eloqua only accepts the user identity in this location. If your identity provider is identifying users in the attribute value, single logout will not work. See Identity provider settings for more information.
    <saml:Subject>
	<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent">
	_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7
	</saml:NameID>
	...
</saml:Subject>

User logout with SLO

When single logout is enabled, logouts can be initiated by the identity provider or the service provider.

The following describes what happens when Oracle Eloqua initiates the logout.

  1. From Oracle Eloqua, a user clicks Log Out.
  2. Oracle Eloqua logs the user out of its single sign-on session.
  3. Oracle Eloqua generates a logout request SAML message.
  4. The browser redirects to the identity provider’s logout URL included in the request.
  5. The identity provider determines if there are any other service providers that the user is currently logged into during this session.
  6. For each service provider, the identity provider generates a logout request and the browser redirects to the service provider’s logout URL.
  7. After validating the logout request from the identity provider, each service provider ends its own login session.
  8. The identity provider then ends its own login session and sends a logout response message to Oracle Eloqua.

Get started

Enabling single logout

Testing your single logout configuration

Learn more

Creating an identity provider in Oracle Eloqua

SSO with a SAML compliant identity provider

Redirecting SSO users to a custom URL on logout