Skip to content

RP-Initiated Logout


Please note that this will only sign out users out of their current session at Unidy. Other connected apps may still hold a valid session after clicking the link. There is no single-sign-out at the time of this writing. Therefore, set the session duration on connected apps with care.

Connected apps can generate links which allow users to log out of Unidy. The endpoint is based on draft 01 of the OIDC RP-Initiated Logout Specification..) You can find the link to your instance's endpoint in the end_session_endpoint attribute under /.well-known/openid-configuration.

The flow works as follows:

  1. User clicks logout link on external page

  2. The connected application generates the necessary parameters for the logout action (see below)

  3. Using these parameters the connected application forwards the user to the RP-Initiated Logout endpoint

  4. Unidy validates the parameters and performs the logout

  5. Optional: User gets redirected to a location of your choice

For security reasons, a few conditions need to be met before Unidy can perform the logout action. Otherwise, an attacker may log out your users to interrupt your service or forward users to malicious pages.

  1. The connected application must pass a valid non-expired ID token of the user in the id_token_hint parameter

    • Hint: In case of an expired ID token you may want to retrieve a fresh ID token before forwarding the user to Unidy by 'signing-in' again and then redirecting to the logout endpoint
  2. If you wish to redirect the user to a custom URL after they signed out, get in touch with Unidy customer support first, so it can be safe-listed for your application. The connected application must then pass that URL in the post_logout_redirect_uri. When the parameter is missing, users get redirected to the standard logout page.

  3. In case you want to perform additional validations at the post_logout_redirect_uri, you can optionally pass a state parameter

For more detailed explanations, please check the OIDC specification.