In the Identity Provider form, we have an attribute '
In Single Sign-On (SSO), this is how Single Logout Request works
- The Service Provider (ServiceNow instance in our case) generates a LogoutRequest SAML message and returns it to the user's browser. This validates the request to the Identity Provider.
- The Identity Provider's Single Logout Endpoint is appended with the LogoutRequest, which is a dedicated URL that expects to receive SingleLogout requests. This entire URL is returned to the user’s browser via a 302 HTTP redirection response.
- The browser follows the redirect and requests the IdP’s SingleLogout URL with the Logout Request in the query string.
- The Identity Provider determines the other Service Providers that support SingleLogout to which the end-user received Single Sign-On during the current logon session. The IdP then iteratively does the following for each participating Service Provider:
- Generates a new LogoutRequest
- Redirect user’s browser to that Service Provider’s SingleLogout endpoint
- Waits for a LogoutResponse from the Service Provider via the user’s browser
- Each Service Provider terminates its own logon session for the user after receiving and validating the LogoutRequest from the Identity Provider.
- The Identity Provider terminates its own logon session and sends a final LogoutResponse message that to the initiating Service Provider. This matches the original LogoutRequest it sent in step 1. The response includes a flag telling the originating Service Provider whether SAML Single Logout was either fully or partially completed.
- The Service Provider displays a logout page to the user.
This may also cause an error page at the time of 'Test Connection'. Clear the value, save the record and run a test again.