Can Single Log Out be done for specific users?

ken.gunadi

Hi,

I have specific questions about the single logout behavior in Fusion Auth, would really appreciate any input/hints.

Questions:

1. Does FusionAuth's Single Logout blindly call the Logout URL for all Applications, regardless of whether the user who is logging out is registered only for a subset of the list of Application?

• i.e: if I have 2 applications in FusionAuth (A and B), if a user is only registered for app A, when that user logs out from A, will app B's logout URL be called?

2. Is there a way to pass the identity of the user who is logging out to the Logout URLs of the Application?

Some more background info below.

I have 2 systems involved:

1. An proprietary software (A)
2. An external system (B)

FusionAuth is currently acting as IDP for system A.

Goal is to let user log in to our proprietary system (A), and then user will also be able to access the external system (B). At the same time, I want user who logs out from A also got logged out from B.

However, not all users will be associated/registered for B.
All users will by default be registered with A.

I created 2 Applications inside FusionAuth to represent A and B, and set the logout behavior to be "All Application".

For B's Application, in FusionAuth I set the Logout URL to some URL.

Thank you again for any inputs!

dan

@ken-gunadi said in Can Single Log Out be done for specific users?:

Does FusionAuth's Single Logout blindly call the Logout URL for all Applications, regardless of whether the user who is logging out is registered only for a subset of the list of Application?

i.e: if I have 2 applications in FusionAuth (A and B), if a user is only registered for app A, when that user logs out from A, will app B's logout URL be called?

Yes, if you specify all applications as you mentioned you did. The alternative is to set the logoutBehavior to RedirectOnly which does not call the logout of all applications.

Is there a way to pass the identity of the user who is logging out to the Logout URLs of the Application?

No. However, your application typically has some knowledge (a session id, etc) of the user who is logging out. Would love to hear more about your use case.

ken.gunadi

@dan Thank you so much for the response.

Referring back to the scenario I described with a User that has registration to only one of the FusionAuth Applications, I would've thought FusionAuth single logout to only call the Logout URL of the Application for which the User is registered (when that User logs out).

Instead, it also calls the Logout URL of the Application for which the User has no registration.

Maybe I'm misunderstanding the intention of the single logout?

dan

@ken-gunadi

I'm not sure I understand the issue. How does the user have a valid session in an application they aren't registered for?

What am I missing?