Goal

This guide shows how to configure the AWS app for a successful logout. For a full logout, there are actually two things needed:

  1. Invalidate the AWS load balancer session
  2. Invalidate the session on the identity provider


Depending on your identity provider, there might be no (OIDC) logout URL. Thus, in this case, single log out will not work because when the AWS load balancer session gets invalidated, it will redirect back to the identity provider that still has a valid session. 


Since (single) logout is not part of the OIDC specification yet, identity providers have freedom in the implementation. We include known logout URLs with this tutorial.
As of now, we know that Azure and Ping Identity should work. Amazon Cognito and ADFS may also work.

If you have questions, please contact us at https://www.resolution.de/go/support or book a free meeting via https://www.resolution.de/go/calendly.


Prerequisites


  • You have app version 2.1 installed.
  • Your identity provider offers an OIDC logout endpoint.


Guide


  1. Go to the AWS ALB & Amazon Cognito Authentication configuration.

  2. Scroll down to the Logout Settings:

    1. enable Delete ALB Session Cookie on Logout:
      This invalidates the ALB session cookie and ends the ALB session.
      ‌‌ 
    2. enable Redirect Users After Logout:
      When activated, users are redirected to this URL on logout. This must be the OIDC logout endpoint for your identity provider.





      Please find a table with logout urls below. You may need to adjust the url to your needs:

      Identity ProviderLogout Url
      Azure

      https://login.microsoftonline.com/ <Your Tenant Id>/oauth2/v2.0/logout

      ADFShttps://<your adfs URL>/adfs/oauth2/logout
      Amazon Cognitohttps://<your cognito>.amazoncognito.com/logout?client_id=<your client id from Cognito>
      Ping Identity https://<Ping Identity Url>/idp/startSLO.ping?id_token_hint=id_token_issued_to_client


      Other identity providers may also work. Please contact us at https://www.resolution.de/go/support if you use an identity provider that is not on this list.

      ‌‌ 
  3. Save your configuration.