Back-channel logout

Back-channel logout is a security mechanism used in Single Sign-On (SSO) and Identity and Access Management (IAM) systems to ensure that when a user logs out of one application or service, they are also automatically logged out of all related applications and services without relying on the user’s browser for communication. It is related to front-channel logout.

Here’s how back-channel logout works:

1. User Initiates Logout: Just like in front-channel logout, the user initiates the logout process by clicking a “Logout” button or taking a similar action within one of the applications.
2. Logout Request: The application that the user is logging out of sends a logout request to the Identity Provider (IdP) or Authentication Service, indicating that the user wishes to log out.
3. IdP Notifies Other Services: Upon receiving the logout request, the IdP identifies all other applications or services where the user has an active session. Instead of relying on the user’s browser, the IdP directly notifies these applications using a secure, back-channel communication method. This can involve sending HTTP requests or using protocols like OpenID Connect or SAML.
4. Applications Handle Logout: Each application that receives the logout notification from the IdP processes the request and logs the user out locally, similar to front-channel logout. This typically involves clearing session cookies, destroying user sessions, and performing any other necessary cleanup.
5. Confirmation: After successfully logging out the user from all related services, the IdP may send a confirmation back to the initiating application, indicating that the logout process has been completed.

Back-channel logout is particularly valuable in scenarios where relying on the user’s browser for communication (as in front-channel logout) may not be secure or practical. It ensures that all sessions are terminated in a synchronized manner, regardless of the specific technologies or security measures used in each application.

By implementing back-channel logout, organizations can enhance the security and consistency of their SSO and IAM systems, preventing unauthorized access to protected resources even when users log out from a single application within the system.