Configure an OpenID Connect logout

This topic provides an overview of how to configure a logout for OIDC.

CyberArk Identity supports RP-initiated logout, where the relying party requests the OpenID provider to log out an end-user.

  1. When the RP sends an authorization request to the CyberArk Identity, Identity sends an authentication request to the user and authenticates the user. When the user tries to log out from the RP, the user must also be logged out from CyberArk Identity.

  2. The RP requests the CyberArk Identity to log the user out by redirecting the user agent to the end_session endpoint. This URL is obtained via the end_session_endpoint element of the CyberArk Identity metadata URL.

  3. The RP should revoke the tokens on user logout or when the user is invalidated using the revoke token endpoint.