Enabling Single Logout (SLO)

iMIS SSO does not natively support single logout because it does not handle any user session information directly - it is primarily a pass-through between iMIS and other OIDC/SAML client apps and/or external directories.

The following document explains how to implement single logout in iMIS, with a built-in redirect to forward the user to the third-party app or connected external directory to simultaneously sign them out in those environments as well.

Create a RiSE Page

In Staff Site > RiSE > Page Builder > Manage Content, choose a common location where the logout page will occur. For example, if you already have a folder for SSO with CSI iMIS SSO pages in it, you can place the logout page in the same folder.

Set up the Page Properties / Configuration

Name the page: SingleLogout

Under Redirect Rules, add a condition for redirect: User is not authenticated

Target URL: Enter a URL where someone should be taken who happens to load the logout page and is already logged out. For example, a staff user can enter the main homepage URL here (such as https://example.org).

Under Access Settings, set the page permissions to Preconfigured Security Set and Everyone Read.

Add the Page Content

Back on the Definition tab, click Add Content, then double-click the Content Html iPart.

In the box that appears, at the bottom, click Convert to Advanced Content.

Next, at the bottom, switch to HTML mode:

Copy and paste this code snippet into the editor box:

<script>// *** IMPORTANT ***
// Change this "logout_target_url" variable to your directory's single logout 
// page. See the "Directory Logout Reference" section of the docs for guidance.

let logout_target_url = 'https://example.com/';

document.addEventListener('DOMContentLoaded', function () {
    fetch('/AsiCommon/Controls/Shared/FormsAuthentication/logout.aspx', {
        method: 'GET',
        credentials: 'include'
    })
    .then(response => {
        window.location.href = logout_target_url;
    })
    .catch(error => {
        console.error('Logout failed', error);
        window.location.href = logout_target_url;
    });
});
</script>

Important! Be sure to update the logout_target_url variable to point to the external app or directory’s single logout (also known as front-channel) logout page.

See below for guidance with common external directory providers.

After the target URL is updated, click OK and then Save & Publish.

The Publish location (the full URL) of that page is now the link that can be used to sign someone out of iMIS, as well as the target or connected external app or directory. Staff users can link to this page from anywhere else in iMIS or RiSE, or even on another website.

Directory Logout Reference

Below are a few examples of logout URLs from common external directory providers.

If the directory or app is not listed here, see the Other section for general guidance.

Microsoft Entra ID (formerly Azure AD)

First, obtain the Tenant ID (a guid).

Next, decide if you want to take the user somewhere else after being signed out of Microsoft/Entra, or if you want them to stay in Entra and view the default signed-out UI.

If you want to take the user to an external site, you need to register the exact URL that the user will be taken to as an allowed Redirect URL in the Entra client app configuration.

Logout Only

https://login.microsoftonline.com/__TENANT_ID_HERE__/oauth2/v2.0/logout

Logout and Redirect

https://login.microsoftonline.com/__TENANT_ID_HERE__/oauth2/v2.0/logout?post_logout_redirect_uri=https://example.com

Note: Replace __TENANT_ID_HERE__ with your Microsoft Tenant ID, and for redirect, replace https://example.com with the exact destination URL that you added to the allowed Redirect URL list above.

See Microsoft’s OIDC front-channel logout documentation for more information.

AWS Cognito

First, obtain the following information:

  • The domain prefix (e.g. the xxxx in xxxx.auth.region-code.amazoncognito.com)
  • The AWS region code
  • The app’s client ID (the one connected to iMIS SSO)
  • The redirect URL to take users to after they’ve been signed out

Register the specific redirect URL in the client app settings. Look for the Allowed sign out URLs field.

Logout and Redirect

https://__YOUR_DOMAIN__.auth.__YOUR_REGION__.amazoncognito.com/logout?client_id=__YOUR_CLIENT_ID__&logout_uri=__YOUR_REDIRECT_URI__

Replace __YOUR_DOMAIN__, __YOUR_REGION__, __YOUR_CLIENT_ID__, and __YOUR_REDIRECT_URI__ with the appropriate values from above.

Example: https://csi-docs-sample.auth.us-east-2.amazoncognito.com/logout?client_id=abcdefghijklmnopqrstuvwxyz&logout_uri=https://example.com

Other

Any connected application looking to support single logout from iMIS must behave as follows:

  • Accepts an HTTP(S) GET request from a browser (CORS optional / not required)
  • Completely and automatically signs the user out and removes all session information without any prompts or confirmations
  • Optionally, redirects the user to another destination URL (either to chain additional logouts together, or to a confirmation page or homepage)