Configure an OpenID Connect logout
This topic provides an overview of how to configure a logout for OIDC.
CyberArk Identity supports RP-initiated logout, where the relying party requests the OpenID provider to log out an end-user.
When the RP sends an authorization request to the CyberArk Identity, Identity sends an authentication request to the user and authenticates the user. When the user tries to log out from the RP, the user must also be logged out from CyberArk Identity.
The RP requests the CyberArk Identity to log the user out by redirecting the user agent to the
end_sessionendpoint. This URL is obtained via the
end_session_endpointelement of the CyberArk Identity metadata URL.
The RP should revoke the tokens on user logout or when the user is invalidated using the revoke token endpoint.