Session termination in single logout using SAML

Question

Let us say we have a user who is accessing three different services using Single sign-on. On clicking on Logout the session with current Sp can be identified and terminated.

Here on, it is the responsibility of IdP to log the user out from the other two services. My question is how the sessions with the remaining two services will be obtained and terminated?

Answer 1

The Idp send the other two SPs a LogoutRequest with the sessionIndex of the user to be logged out. The SPs are then responsible to terminate the session on their side.

Answer 2

During SSO, IDP sends SAML Assertion to SP that contains AuthnStatement. One of the attributes of this AuthnStatement is SessionIndex that identifies the session of the user with the IDP.

During SLO, SP sends SAML Logout Request that contains SessionIndex that identifies the session of the user (with the IDP) that the IDP must terminate. IDP then retrieves the list of SPs that participate in the current user session. IDP sends SAML Logout Request to each of these SPs.

In order to do this, IDP needs to keep track of the SPs that participate in the current user session (i.e., the SPs that received SAML Assertion issued by the IDP during the current user session).