SAML Single Logout
Organizations that manage Zinc access through a SAML identity provider (IdP) such as Okta or Active Directory can enforce logout policies centrally. SAML SLO provides a Zinc API endpoint that the IdP can call to terminate a user's Zinc session remotely. IT administrators gain the ability to require re-authentication in specific compliance scenarios without asking users to log out manually from Zinc.
|
Prerequisite
|
|
To use SAML SLO, your organization must have SAML SSO configured for Zinc. The IdP must be configured to point its SLO endpoint to the Zinc SLO API endpoint.
|
Logout Scenarios
Zinc supports the below SLO scenarios:
IdP-initiated logout: When a user logs out at the IdP, or when the IdP forces a logout, the IdP sends a SAML Logout Request message to the Zinc SLO endpoint. Zinc validates the request, terminates the user's session, and responds with a Logout Response. The IdP repeats this process with all other service providers where the user has active sessions.
Service Provider-initiated logout: When a user logs out from the Zinc app, Zinc sends a Logout Request to the IdP's SLO endpoint. The IdP terminates the session, sends Logout Request messages to all other service providers, collects their responses, and returns a Logout Response to Zinc.
Related Topics