Single Logout (SLO)

Single Logout (SLO) is a supported feature for third-party partner SSO. The SLO profile of the OAuth specification provides for coordinated and near-simultaneous logout across applications with a federated authentication context. Oracle's implementation of OAuth 2.0 and OpenID Connect can include SLO capabilities, which allows a user to log out of multiple connected applications simultaneously when initiating a logout from one of them. Refer to the following information to configure SLO:

• Review the available Oracle Identity and Access Managementdocumentation for the logout endpoint.
• The endpoint can be constructed using one of the following methods:
  • https://{IDCS_HOST}/oauth2/v1/userlogout where IDCS_HOST is the host and port information for you Identity and Access Management server.
  • Use the Identity and Access Management discovery URL https://{IDCS_HOST}/.well-known/openid-configuration, where IDCS_HOST is the host and port information for you Identity and Access Management server, to retrieve the value from end_session_endpoint.
• To trigger an SLO request, you must pass the following parameters to the userlogout endpoint: https://{IDCS_HOST}/oauth2/v1/userlogout?id_token_hint={ID_Token}&post_logout_redirect_uri={Post_Logout_URL}
  • IDCS_HOST is the host and port information for you Identity and Access Management server
  • ID_Token: The ID token from the Identity and Access Management response to a user login, post logout URL. This location is where a user is returned to when the Authorization Code Flow is completed.
  • Post_Logout_URL: The URL must be allow-listed in Identity and Access Management before it can be used. Multiple URLs can be allow-listed, and examples per tier are provided below:
    • Stage: https://www.qadomain.net/utility_name/Secure/Logout.aspx
    • Prod: https://www.proddomain.net/utility_name/Secure/Logout.aspx