Skip to main content

Single Sign-out

Single sign-out (SSO) signs a user out of a secured application and clears both the remote application session generated by the identity provider and the local Pomerium session.

OIDC Front-Channel Logout

Pomerium supports Front-Channel Logout as described in OpenID Connect Front-Channel Logout 1.0.

Identity provider support

See if your identity provider (IdP) supports Front-Channel Logout by checking your IdP’s /.well-known/openid-configuration endpoint. If your IdP supports it, you may see something similar to the JSON data below:

{
  "frontchannel_logout_session_supported": true
}

Configure single sign-out

To correctly implement SSO, you must register a frontchannel_logout_uri for your application that includes the path /.pomerium/sign_out.

The frontchannel_logout_uri must match the external route in your policy. For example, app.corp.example.com/.pomerium/sign_out.

If configured correctly, the following actions occur:

  1. The proxy service receives the sign-out request and clears the local Pomerium session
  2. The proxy service redirects the request to the authenticate service URL’s /.pomerium/sign_out endpoint
  3. The authentication service clears the remote application session

Single sign-out flow

caution

While it is possible to implement SSO using the authenticate service URL and the /.pomerium/sign_out endpoint, this method is not recommended.

Signing out with the authenticate service URL won’t delete the session cookie on the route itself. To terminate the remote application and Pomerium sessions, you must point sign-out requests to the external route.

Well-known Pomerium endpoint

See Pomerium's /.well-known/pomerium endpoint to view OAuth, OIDC, and JWKS data.

For example:

{
  "authentication_callback_endpoint": "https://authenticate.localhost.pomerium.io/oauth2/callback",
  "jwks_uri": "https://authenticate.localhost.pomerium.io/.well-known/pomerium/jwks.json",
  "frontchannel_logout_uri": "https://authenticate.localhost.pomerium.io/.pomerium/sign_out"
}

Note, a CSRF token is required for the single sign out endpoint (despite supporting GET and POST) and can be retrieved from the X-CSRF-Token response header on the well known endpoint above or using the _pomerium_csrf session set.

Single sign-out example with Pomerium

The example below demonstrates how to correctly implement SSO using the JavaScript SDK:

export const signOut = (redirectUrl) => {
  let location = window.location.origin + '/.pomerium/sign_out';
  if (redirectUrl) {
    location += '?pomerium_redirect_uri=' + encodeURIComponent(redirectUrl);
  }
  window.location.href = location;
};

In the example above, the signOut function appends the /.pomerium/sign_out endpoint to the external route URL, then redirects the user.

From here, the proxy service clears the external route session and redirects the user to the authenticate service URL to clear the Pomerium session.