This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • KIP-10 KnoxSSO Logout Flow
Skip to end of metadata
Go to start of metadata


Current-Status: In-Progress




With the Single Sign On (SSO) ability supported with different Identity Providers (IdP), Knox needs to have an ability to support "logging out" of applications and Identity providers.

The main purpose of this KIP is to document the design flow to for KnoxSSO logout feature (henceforth called KnoxSSOUT).

Logout flow might change depending on the method used for SSO i.e.

  • SAML
  • CAS
  • OAuth
  • OpenID Connect


The above mentioned methods are transparent to KnoxSSO users so it is imperative that the logout should behave in a similar fashion. As a result, there should be one logout url that would logout the current user based on the type of SSO used. We propose the following url


Here, {knox-sso-out-topo} is the name of the KnoxSSO out topology (knoxssout.xml).

In some cases simply deleting local cookies will terminate the session (CAS) in some cases a specially crafted logout request needs to be sent to the IdP (SAML), Knox should be able to seamlessly handle these cases. Fortunately, Pac4J does most of the heavy lifting for us, but there needs to be some more work done on the integration to make logout work seamlessly for Knox. The following sections will describe the logout flow.



SAML Logout Flow

  • No labels