Overview

Most people have only ever heard of SSO - Single Sign On - hell, we built our company banking on SSO. Single Sign On is how you verify your identity just once, and based on that you can access / log into multiple connected applications. This adds a level of security by eliminating the need to have a bunch of different credentials; and by shrinking the attack surface, you can minimize exposure, and have heightened security for the surface that’s exposed.

This security can be taken a step further by adding SLO - Single Log Out - the logical, but often forgotten next step in Identity Security and Session Management.

Single Log Out (SLO) is a feature that ensures a user is automatically logged out from all connected authentication systems - such as the OAuth provider or Identity Provider (IdP) - when they log out of the primary application - in this case, a Drupal website.

When a user initiates a logout from Drupal, the session at the IdP is also terminated. This creates a secure logout scenario that spans across all integrated applications.

Prerequisites:

In this section, we’ll discuss everything from requirements and implementation process to results.

OAuth Client Module

Download Module

The Problem Nobody Notices at First

Imagine an organization where users authenticate through a central OAuth provider or Identity Provider and access multiple applications like HR portals, dashboards, internal tools, and customer-facing platforms.

All of the applications are connected to and accessible via the central / primary Drupal application.

Since the Drupal application is the primary ingress point, a user operating under the assumption that the Drupal logout would be the primary egress, would not be in the wrong.

But without SLO doing its thing behind the scenes, their session at the Identity Provider is still active.

This means, in theory:

• A non-authenticated user can reopen a connected application without being prompted to log in.
• On shared or public systems, the next person might gain access unintentionally.

In sensitive environments - the kinds that Drupal specializes in - this becomes a serious issue. In terms of compliance and as well as Data Privacy.

The system just looks secure, but it isn’t.

Where Single Log Out Changes the Game

Single Log Out ensures that when a user logs out of Drupal, every connected (authenticated) session is terminated, including the session at the OAuth Provider or Identity Provider. Instead of stopping at the application layer, SLO completes the logout journey end-to-end.

When SLO is enabled:

• Once drupal initiates the logout process, a logout request is sent to the OAuth Provider’s end-session endpoint.
• The user’s OAuth Provider session is terminated.
• The user is redirected to a defined logout destination in the OAuth Client.
• And since the session at the Provider side has been terminated, all future access requests from any of the connected applications would fail, and all the sessions would be terminated - and the users would be forced to re-authenticate themselves.

Single Click - Single Logout

Implementation

• First, install and configure the miniOrange Drupal OAuth client module. This setup guide will help you to configure the module.
• After that, in the Client Settings section under the Client Configuration tab, check the box for Enable single log out.
• Enter the OAuth provider or IdP URL in the IDP End Session Endpoint text field to log out the user from the Identity Provider when they log out from the Drupal site.
• Redirect URI Param Name based on your Identity Provider, this is the parameter that carries the post-logout redirect URL. You can change the parameter name based on your Identity provider.
• Now, you can see the Include ID token in the End session Endpoint check box.
• If you want to avail this feature, then navigate to the Module settings tab by clicking the module settings link.
• Scroll down to the Token storage section, then enable the Store token in User session and check the ID token check box.
• Then, scroll down and click the Save Configuration button.
• After that, check the Include ID token in the End session Endpoint check box and enter the ID token parameter name into the text field based on your IdP or OAuth provider.
• Then, Scroll down and click on the Save button.
• That’s it you have successfully configured the Single Log Out feature.

Result

In modern authentication ecosystems, partial / improper logout is a silent risk. Users trust the logout button—but without SLO, that trust might be misplaced.

The SSO and SLO tandem solution ensures that your login is secure, and once your job is done, all the connected sessions are destroyed upon a successful logout. That means no zombie sessions; No chance of accidental account or session hijack; and No security blind spots.