Overview

This use case is about setting up Front-Channel Logout in Drupal. We use the OAuth Client & OpenID Connect SSO module, for this. When a user logs out from one application or the Identity Provider the logout request is sent to all connected applications. This ensures that Drupal sessions are ended securely. It helps keep authentication states improves session management and makes the Single Sign-On ecosystem more secure.

Prerequisites:

In this section, we’ll discuss everything from requirements and implementation process to results.

• miniOrange OAuth Client module (version 8.x and above) is installed and enabled.
• Administrator access to module configuration.
• OAuth Provider is configured and reachable.
• Required user attributes are available in the OAuth token.

Problem

When people use Drupal with OAuth or OpenID Connect for Single Sign-On they usually rely on Identity Providers like Okta, Microsoft or Keycloak to manage user accounts and authentication.

This means that when a user logs in two separate sessions are created at the time:

• An active session at the Identity Provider (IdP)
• An active session on the Drupal website

This makes it easy for users to log in. It also creates a big problem when it comes to logging out. If a user logs out from the Identity Provider or another connected application the Drupal session does not automatically end.

This issue leaves users unintentionally logged in to the Drupal website after logout, creating potential security and compliance risks.

Who will suffer?

This problem affected a lot of people including:

• Drupal Site Administrators
• They had a time making sure that logout behavior was secure and consistent across all applications.
• They could not enforce rules for ending sessions in a way.
• End Users
• Users thought that logging out from their organizations Identity Provider would log them out of all applications.
• This was not the case and it caused confusion and security risks.
• Organizations with Compliance Requirements
• Organizations that have to follow rules, like hospitals or banks could not ensure that logout processes were properly synchronized.
• Shared Device Environments
• Organizations that use shared computers or public terminals had a risk of unauthorized access because Drupal sessions did not always end when they should.

Solution

To fix this problem Front-Channel Logout was implemented between the Identity Provider and the Drupal application.

This meant that when a user logged out from the Identity Provider their Drupal session would also end at the time. The solution included:

• Configuring Front-Channel Logout support for OAuth/OpenID Connect (OIDC) based Single Sign-On
• Establishing secure logout communication between the Identity Provider and Drupal
• Detecting when a user logged out from the Identity Provider
• Automatically ending the Drupal session when the Identity Provider session ended
• Synchronizing logout events across all connected SSO-enabled applications
• Maintaining consistent authentication states between Drupal and the Identity Provider
• Preventing users from staying logged in on shared or public devices.
• Implementing the solution without disrupting existing login or authentication processes

The implementation provided a seamless and centralized logout experience for both administrators and end users.

Result

To fix this problem Front-Channel Logout was implemented between the Identity Provider and the Drupal application.

This meant that when a user logged out from the Identity Provider their Drupal session would also end at the time. he solution included:

• Users were automatically logged out from Drupal immediately after logging out from the Identity Provider.
• Sessions were properly synchronized across applications.
• Security on shared and public devices was greatly improved
• SOrganizations had control over session management and logout handling.
• Compliance and security requirements for session termination were met.
• Authentication states were always consistent between the Identity Provider and Drupal.
• Users had a secure, reliable and predictable Single Sign-On logout process.

Conclusion

Front-Channel Logout improves logout handling by turning an inconsistent and risky process into a centralized and secure authentication experience. By synchronizing session termination across Drupal and connected Identity Providers, organizations gain stronger security, better compliance readiness, safer shared-device usage, and a more reliable SSO experience. The result is a simpler, safer, and more trustworthy authentication workflow across all connected systems.