...
CCC's Single Logout solution leverages the SSO proxy Proxy and the proprietary SSO endpoints of the College Identity Providers to achieve single logout.
...
The user clicks logout in the Service provider (i.e Common Assessment). Since all CCC Services use Spring Security SAML (CWF - Is this a valid assumption?), logging out in Spring Security will terminate both the SSO and application session. When logout is complete, the user will be directed to the new logout page in the SSO proxyProxy.
User lands on SSO proxy after Service Provider Logout
...
When the user lands on the SSO proxy Proxy page, a series of embedded IFRAME requests makes will make REST call redirects to all known service provider endpoints. If the user is not actually logged into to an endpoint, the request will be ignored.
In a future enhancement, the proxy SSO Proxy could keep track of of Service providers Providers the user has logged into, but this will required a longer SSO Session time in the proxy SSO Proxy which could have a negative impact on proxy SSO Proxy performance and cost do due to the cost of caching session data for longer period of time. (CWF - The number of service providers Service Providers is growing quickly, especially with the addition of Canvas and Hobsons SPs. I think the cost of caching these would be minimal compared to the downside of not doing so.)
Service Provider terminates SSO and Application session
When the service provider a Service Provider receives the logout request the application session and SSO session will be terminated. Since all CCC Applications will be using Spring Security SAML (CWF - Is this a valid assumption?), both SSO and application session termination will be handled by Spring Security SAML.
After the IFRAME requests to the Service Provider Logout endpointsm endpoints, another IFRAME request will be issued to the proprietary logout endpoint of the IDP that initially authenticated the user (authsource).
...