Enabling Single Logout

The Single Logout (SLO) feature is an optional part of federated authentication.

With federated authentication a user can sign into Mambu using Single Sign-On (SSO) through an Identity Provider (IdP). Examples of common IdPs are Okta, Azure Active Directory, Centify, OneLogin, or Google. With SSO a user can sign into multiple web applications by only providing their username and password once. In this case, Mambu and these other web applications are referred to as Service Providers (SPs).

The Single Logout (SLO) feature allows a user to log out of one SP ( i.e. web application) that they signed in to using SSO and then get logged out of all the other SPs that they had logged into during that same SSO session. This means a user can logout one time from one application and does not need to logout of multiple applications.

How Single Logout works with Mambu and your IdP

1. A user logs outs of the Mambu application.

2. Mambu generates a digitally signed LogoutRequest SAML message and returns it to the end-user’s browser.

3. The browser follows the redirect and requests the IdP’s SLO URL with the LogoutRequest in the query string.

4. The IdP determines the other SPs that support SLO, to which the end-user received SSO during the current logon session. The IdP then iteratively does the following for each participating SP:

   • Generates a new, digitally signed LogoutRequest.
   • Redirects the user’s browser to that SPs SLO endpoint.
   • Waits for a LogoutResponse from the SP, via the user’s browser.

5. Each SP terminates their own logon session for the end user after receiving and validating the LogoutRequest from the IdP.

6. The IdP terminates its own logon session and sends a final LogoutResponse message to the initiating SP (in our case, Mambu). This matches the original LogoutRequest that was sent in step #1. The response includes a flag telling the originating SP whether SAML SLO was either fully or only partially completed.

7. Mambu displays a login page to the end-user.

How to Setup Single Logout in Mambu

To enable single logout for an organization:

1. On the main menu, go to Administration > Access > Federated Authentication.

     
2. Select the Enable Single Logout check box.
3. Download the certificate by selecting Download.
4. Select Save Changes.

To download the Mambu certificate that will be used to verify the authenticity of the signed LogoutRequest in the IdP: on the main menu, go to Administration > Access > Federated Authentication and then go to the Logout section.

A session timeout in Mambu will not trigger a logout request to the IdP.