A SAML single logout operation uses the following flow:

  1. The user initiates logout.
  2. The session participant initiates single logout by sending a <LogoutRequest> message to the identity provider that sent the corresponding <AuthnRequest> authentication assertion.
  3. The SAML service validates the request. It then calls the end session endpoint of the flow orchestration service and passes through the cookie header. The flow orchestration service deletes the session identified by the session cookie and includes a Set-Cookie in the response to immediately expire the session cookie.
  4. The identity provider uses the contents of the <LogoutRequest> message to determine the session(s) being terminated.
  5. The identity provider issues a <LogoutResponse> message to the original requesting session participant.

The GET /{environmentId}/saml20/idp/slo operation initiates the SAML single logout action through a GET request. In the request URL, the SAMLRequest parameter contains the encoded SAML logout request information.