In the Identity Provider form, we have an attribute '

In Single Sign-On (SSO), this is how Single Logout Request works

  • The Service Provider (ServiceNow instance in our case) generates a LogoutRequest SAML message and returns it to the user's browser. This validates the request to the Identity Provider.
  • The Identity Provider's Single Logout Endpoint is appended with the LogoutRequest, which is a dedicated URL that expects to receive SingleLogout requests. This entire URL is returned to the user’s browser via a 302 HTTP redirection response.
  • The browser follows the redirect and requests the IdP’s SingleLogout URL with the Logout Request in the query string.
  • The Identity Provider determines the other Service Providers that support SingleLogout to which the end-user received Single Sign-On during the current logon session. The IdP then iteratively does the following for each participating Service Provider:
    1. Generates a new LogoutRequest
    2. Redirect user’s browser to that Service Provider’s SingleLogout endpoint
    3. Waits for a LogoutResponse from the Service Provider via the user’s browser
  • Each Service Provider terminates its own logon session for the user after receiving and validating the LogoutRequest from the Identity Provider.
  • The Identity Provider terminates its own logon session and sends a final LogoutResponse message that to the initiating Service Provider. This matches the original LogoutRequest it sent in step 1. The response includes a flag telling the originating Service Provider whether SAML Single Logout was either fully or partially completed.
  • The Service Provider displays a logout page to the user.




Additional Information

How to set up SingleLogoutRequest service URL in ServiceNow?

How to enable signed logout requests in ServiceNow?

This may also cause an error page at the time of 'Test Connection'. Clear the value, save the record and run a test again.  

Article Information

Last Updated:2020-10-23 01:53:33