When a user manually logs out of Aria, or if Aria enforces a session time-out, this is considered a local session logout. When a user manually logs out using the IdP portal, or if the IdP enforces a session-time out, this is considered a IdP session logout.
Aria and third-party IdPs communicate with each other by using SAML 2.0 LogoutRequest and LogoutResponse messages. These messages can be transferred using either front-channel binding (HTTP-Redirect) or back-channel binding (SOAP).
A standard SLO sequence depends on whether the logout request is initiated by Aria, or by the IdP.
Logout Request Initiated by Aria
If the logout request was initiated by Aria:
- Aria sends a logout request to the IdP.
- The IdP destroys the user’s session.
- The IdP sends a logout response to the Aria which then destroys the session.
Logout Request Initiated by IDP
If the logout request was initiated by the IdP:
- The IdP sends a logout request to Aria, as well as to any other service providers to which the user is authenticated.
- Aria destroys the user’s session and provides a logout response indicating whether the logout was successful.