End a session

How to destroy an OIDC session through RP-initiated logout.

You can end the CyberArk Identity browser session when users log out of a federated application, with the option to redirect users to a pre-determined URL. This is relying party initiated logout, as described in the OIDC spec here.

  • If post_logout_url is not used, CyberArk Identity redirects users to /, resulting an HTTP response 302 Found.
  • The state query parameter is passed to the relying party when users are redirected with post_logout_url.
  • id_token_hint is accepted, but not utilized. Session information in the cookie is used to destroy the session.
GET https://mytenant.my.idaptive.app/oauth2/endsession?post_logout_redirect_uri=https%3A%2F%2Fwww.mycompany.com

The response indicates 302 Found if the session was successfully destroyed and the user redirected.

HTTP/1.1 302 Found
Location: https://www.mycompany.com