Logout

The Switch edu-ID OP supports OIDC-based logout initiated at the service (RP-initiated logout) and allows the users to optionally log out from all services (logout propagation).

RP-initiated Logout

A relying party (OIDC client) can direct the user to the OP's logout endpoint, which ends the user's session. The logout endpoint is implemented according to the OpenID Connect RP-Initiated Logout 1.0 specification.

In short: Calling the OP's logout endpoint (indicated as end_session_endpoint on https://login.eduid.ch/.well-known/openid-configuration) immediately terminates the user's SSO session on the OP. (Note that also the SAML IdP session is therewith terminated since the IdP and OP have a shared session.) The request to the OP's logout endpoint can contain some hints about the user to be logged out, as you can read in the specification. In addition, the client can provide a post_logout_redirect_uri. See the following sub-section "Post-logout redirection" for details.

Apart from only terminating the session on the OP, the user can choose to propagate the logout to other clients which might have an open session in this browser, as described in the section "Logout propagation" below.

Post-logout redirection

The RP-initiated Logout specifies the post_logout_redirect_uri as an optional parameter for the end-session request. Please take note of the following clarifications where the specifications are open for different interpretations and the edu-ID OP might therefore not act exactly as you expect it:

• If a post_logout_redirect_uri is given in the request, also a client_id MUST be given.
• The post_logout_redirect_uri MUST be registered beforehand in the Resource Registry for the client given in the client_id. This can be done for a client by adding it in the respective field in the Service Locations.
• After completion of the logout on the OP, the user agent is NOT actually redirected to the given post_logout_redirect_uri. The post_logout_redirect_uri is only called as specified in 3. Redirection to RP After Logout within an iframe. The user experience ends on the OP on a view which states the logout status. This is a deliberate decision in order to transparently let the user know if client sessions might still be open and whether it is recommended to close the browser.

Logout propagation

When the OP session is terminated via RP-initiated logout (or similarly via SAML Single Logout), the user can choose whether to stay logged in on the services he/she has accessed or whether the OP should try to propagate the logout.

The Switch edu-ID OP supports two specifications of logouts for OIDC clients:

• OpenID Connect Front-Channel Logout 1.0
• OpenID Connect Back-Channel Logout 1.0

Take note of the following clarifications in order to fully understand how the edu-ID OP implements them:

• For both methods, the respecive URIs MUST be registered in the Resource Registry. Otherwise, no logout is propagated to the service.
• If both a backchannel_logout_uri and a frontchannel_logout_uri are provided, only backchannel logout is processed.
• If a user chooses to log out of all services...
  • the registered frontchannel_logout_uri of each client where the user has logged in to is called within an iframe according to the specification. The client is then expected to fully terminate this user's session. All frontchannel logouts are considered being successful regardless of the response.
  • the registered backchannel_logout_uri of each client where the user has logged in to is called via backchannel according to the specification. The client is then expected to fully terminate this user's session. Backchannel logouts are considered being successful if status code 200 is returned.
  • Single logout is also applied to all SAML services which have registered corresponding endpoints.
  • The user is shown whether all logouts were successful and whether the browser should maybe better be closed (if there were services where logout propagation failed or is not supported at all).