Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

SAML Single Logout

Understand how single logout works between your identity provider and Foundry

Overview

SAML Single Logout (SLO) allows a user to be signed out of multiple connected systems as part of the same single sign‑on session.

Foundry supports both service provider (SP)–initiated and identity provider (IdP)–initiated single logout, as long as your identity provider supports the corresponding SLO method. Support varies by IdP—some support both methods, some support only one, and others do not support SLO at all.

Service Provider–Initiated SLO

With SP‑initiated SLO, the logout process begins in Foundry.

When a user signs out of Foundry:

  • Foundry sends a SAML LogoutRequest to the identity provider
  • The IdP signs the user out of the same SSO session
  • Depending on the IdP, this may also trigger logout from other connected service providers

To enable SP‑initiated SLO:

  1. Open the Foundry IdP setup for your identity provider
  2. Select Also log users out of this provider when logging out of Foundry
  3. Enter the IdP’s Single Logout URL in the SLO URL field

Both settings are required for Foundry to send logout requests to the IdP.

Note: Not all identity providers support SP‑initiated SLO.

Identity Provider–Initiated SLO

With IdP‑initiated SLO, the logout process begins in the identity provider.

When a user signs out of the IdP:

  • The IdP sends a SAML LogoutRequest to Foundry
  • Foundry ends the user’s session

If your IdP supports IdP‑initiated SLO, no additional configuration is required in Foundry. However, you must configure the IdP to include Foundry’s SLO URL.

You can find Foundry’s SLO URL in the SAML metadata for your organization.

Note: Not all identity providers support IdP‑initiated SLO.

Controlling Which SLO Methods Are Enabled

You can support IdP‑initiated SLO only by disabling SP‑initiated logout in Foundry.

To do this, clear the Also log users out of this provider when logging out of Foundry checkbox in the Foundry IdP setup.

Foundry cannot ignore or block an IdP‑initiated logout request. If you do not want IdP‑initiated SLO to occur, you must configure this behavior within your identity provider.

FAQs

We do not want IdP‑initiated SLO. How can we prevent it?
This must be configured in your identity provider. Foundry cannot reject IdP‑initiated logout requests. In many IdPs, leaving the Foundry SLO URL empty will prevent IdP‑initiated SLO. Be aware that some IdPs require this URL to be set for SP‑initiated SLO, which may also enable IdP‑initiated logout.

What is the SLO URL for Foundry?
The Foundry SLO URL is available in your organization’s SAML metadata.

To view it:

  1. Log in to Foundry as an admin
  2. Go to Settings > Single Sign‑On
  3. Select View to open the SAML metadata
  4. Locate the SLO URL value

Each Foundry organization has unique SAML values, so you must reference your own metadata.