Starting with version 2.1.0, SAML SingleSignOn supports SAML Single Logout (SLO).

Please be aware that Single Logout is currently marked as experimental. It has been intensively tested, but due to the huge variety of SAML Identity Providers and configurations, we strongly recommend testing it in a staging environment before using it in production

Single Logout consists of two parts:

  • Closing the session on the Identity Provider if logging out of the Atlassian application
  • Closing the session on connected Atlassian applications if it is closed on the IdP

Our Addon supports both, but the support differs from IdP to IdP (see below).

Configuration

To configure Single Logout, perform the steps below:

  • To provide the Single Logout-URLs in the SAML-Metadata, either enable the checkbox Include Logout URLs in Metadata in the Addon's configuration tab Service Provider or use this URL when fetching the Metadata on the IdP:
    https://
    <baseUrl>/plugins/servlet/samlsso/metadata?slo



  • In the Addon's IdP Configuration-tab for the IdP, select POST or REDIRECT for the Logout Binding and set the Single Logout-URL. If you loaded Idp Metadata and your IdP supports single logout, this URL should be set automatically



  • Save the configuration
  • Configure the IdP for Single Logout

Idp-specific configuration and limitations

Single logout has been tested so far with the following SAML IdPs. It should work with any other IdP supporting SLO.

ADFS

ADFS fully supports single logout. No special configuration is necessary if metadata with the SLO-URLs is imported. After importing, check that the signing certificate and the logout endpoints are included in the configuration:

OneLogin

OneLogout supports Single Logout, but does not sign the SAML logout requests and does not include the session index in the logout requests. To make it work, enable these checkboxes in the Addon's IdP configuration:



To configure OneLogin for Single Logout, use the SAML Test Connector (IdP w/attr) and set the logout URL to https://<baseUrl>/plugins/servlet/samlsso

Okta

Okta support for Single Logout is limited:

  • If you logout of the Atlassian application, the session on Okta is closed, but the sessions on other applications stay active
  • If you have multiple applications configured and you log out of the first one, then you get the logout screen. If you then logout of the second one, you will see the Okta login screen. After logging in there, the logout process is completed and no new Okta-session is created. The internal Okta ticket-id for this issue is OKTA-164419.

To enable Single Logout, set the appropriate values in the Application's SAML-settings: