RP-Initiated Logout
Warning
Please note that this will only sign out users out of their current session at Unidy. Other connected apps may still hold a valid session after clicking the link. There is no single-sign-out at the time of this writing. Therefore, set the session duration on connected apps with care.
Connected apps can generate links which allow users to log out of Unidy. The endpoint is based on draft 01 of the OIDC RP-Initiated Logout Specification..) You can find the link to your instance's endpoint in the end_session_endpoint attribute under /.well-known/openid-configuration.
The flow works as follows:
-
User clicks logout link on external page
-
The connected application generates the necessary parameters for the logout action (see below)
-
Using these parameters the connected application forwards the user to the RP-Initiated Logout endpoint
-
Unidy validates the parameters and performs the logout
-
Optional: User gets redirected to a location of your choice
For security reasons, a few conditions need to be met before Unidy can perform the logout action. Otherwise, an attacker may log out your users to interrupt your service or forward users to malicious pages.
-
The connected application must pass a valid non-expired ID token of the user in the
id_token_hintparameter- Hint: In case of an expired ID token you may want to retrieve a fresh ID token before forwarding the user to Unidy by 'signing-in' again and then redirecting to the logout endpoint
-
If you wish to redirect the user to a custom URL after they signed out, get in touch with Unidy customer support first, so it can be safe-listed for your application. The connected application must then pass that URL in the
post_logout_redirect_uri. When the parameter is missing, users get redirected to the standard logout page. -
In case you want to perform additional validations at the
post_logout_redirect_uri, you can optionally pass astateparameter
For more detailed explanations, please check the OIDC specification.