Skip to main content
Skip table of contents

Enabling Single Logout (SLO)

Cloud SSO does not natively support single logout because it does not handle any user session information directly - it is primarily a pass-through between iMIS and other OIDC/SAML client apps and/or external directories.

The following document explains how to implement single logout in iMIS, with a built-in redirect to forward the user to the third-party app or connected external directory to simultaneously sign them out in those environments as well.

Create a RiSE Page

In Staff Site > RiSE > Page Builder > Manage Content, choose a common location where the logout page will occur. For example, if you already have a folder for SSO with CSI Cloud SSO pages in it, you can place the logout page in the same folder.

Set up the Page Properties / Configuration

Name the page: SingleLogout

Under Redirect Rules, add a condition for redirect: User is not authenticated

Target URL: Enter a URL where someone should be taken who happens to load your logout page and is already logged out, for example, you may enter your main homepage URL here (https://example.org).

Under Access Settings, set the page permissions to Preconfigured Security Set and “Everyone Read”.

Add the Page Content

Back on the Definition tab, click Add Content, then double-click the Content Html iPart.

In the box that appears, at the bottom, click Convert to Advanced Content.

Next, at the bottom, switch to HTML mode:

image-20250617-172046.png

Copy and paste this code snippet into the editor box:

HTML 
<script>

// *** IMPORTANT ***
// Change this "logout_target_url" variable to your directory's single logout 
// page. See the "Directory Logout Reference" section of the docs for guidance.

let logout_target_url = 'https://example.com/';

document.addEventListener('DOMContentLoaded', function () {
    fetch('/AsiCommon/Controls/Shared/FormsAuthentication/logout.aspx', {
        method: 'GET',
        credentials: 'include'
    })
    .then(response => {
        window.location.href = logout_target_url;
    })
    .catch(error => {
        console.error('Logout failed', error);
        window.location.href = logout_target_url;
    });
});
</script>

IMPORTANT: Be sure to update the logout_target_url variable to point to your external app or directory’s single logout (or “front-channel”) logout page.

See below for guidance with common external directory providers.

After you’ve updated the target URL, press OK and then Save & Publish.

The Publish location (the full URL) of that page is now the link you can use to sign someone out of iMIS, as well as the target/connected external app or directory. You can link to this page from anywhere else in iMIS/RiSE, or even on another website.

Directory Logout Reference

Below are a few examples of logout URLs from common external directory providers.

If your directory or app is not listed here, pleas see the “Other” section below for general guidance.

Microsoft Entra ID (formerly Azure AD)

First, obtain your Tenant ID (a guid).

Next, decide if you want to take the user somewhere else after being signed out of Microsoft/Entra, or if you want them to stay in Entra and view the default “You have signed out.” UI.

If you want to take the user to an external site, you need to register the exact URL that the user will be taken to as an allowed “Redirect URL” in the Entra client app configuration.

Logout Only

CODE 
https://login.microsoftonline.com/__TENANT_ID_HERE__/oauth2/v2.0/logout

Logout and Redirect

CODE 
https://login.microsoftonline.com/__TENANT_ID_HERE__/oauth2/v2.0/logout?post_logout_redirect_uri=https://example.com

(warning) NOTE: Replace __TENANT_ID_HERE__ with your Microsoft Tenant ID, and for redirect, replace https://example.com with the exact destination URL that you added to the allowed Redirect URL list above.

Microsoft’s OIDC front-channel logout documentation can be found here.

AWS Cognito

First, obtain the following information:

  • Your domain prefix (e.g. the “xxxx” in xxxx.auth.region-code.amazoncognito.com)

  • Your AWS region code

  • Your app’s client ID (the one connected to Cloud SSO)

  • The redirect URL to take users to after they’ve been signed out

You’ll need to register the specific redirect URL in your client app settings, look for the “Allowed sign out URLs” field.

Logout and Redirect

CODE 
https://__YOUR_DOMAIN__.auth.__YOUR_REGION__.amazoncognito.com/logout?client_id=__YOUR_CLIENT_ID__&logout_uri=__YOUR_REDIRECT_URI__

Replace __YOUR_DOMAIN__, __YOUR_REGION__, __YOUR_CLIENT_ID__, and __YOUR_REDIRECT_URI__ with the appropriate values from above.

For example:

https://csi-docs-sample.auth.us-east-2.amazoncognito.com/logout?client_id=abcdefghijklmnopqrstuvwxyz&logout_uri=https://example.com

Other

Any connected application looking to support single logout from iMIS must behave as follows:

  • Accepts an HTTP(S) GET request from a browser (CORS optional / not required)

  • Completely and automatically signs the user out and removes all session information without any prompts or confirmations

  • Optionally, redirects the user to another destination URL (either to chain additional logouts together, or to a confirmation page or homepage)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close