Identify which User Session to Close During SAML Single Logout

Some identity providers and service providers require a session index parameter in the logout request or response to identify the user session to close. Salesforce now supports session index parameters with SAML single logout (SLO). When a user logs out of a connected app registered for SAML SLO, the session index parameter can help identify which user session to end.

Where: This change applies to Lightning Experience and Salesforce Classic in Group, Professional, Enterprise, Performance, Unlimited, and Developer editions.

How: When Salesforce is the identity provider, it generates and sends the session index parameter to the service provider during SAML single sign-on (SSO). Depending on the initiating provider, SAML SLO follows one of these processes.

  • If Salesforce initiates SLO, it sends the same session index parameter with the logout request to the service provider.
  • If the service provider initiates SLO, Salesforce sends the SAML SLO request to the other service providers participating in the current session. The other service providers post a logout response to Salesforce. Salesforce returns the logout response to the initiating service provider.

When Salesforce is the service provider, it receives and stores the session index parameter sent from the identity provider during SSO. If the identity provider initiates SLO, Salesforce sends a logout response. If Salesforce initiates the SLO, it sends the same session index parameter with the logout request to the identity provider.