Logout (B2C)

Logout is the act of terminating an authenticated session when it's no longer needed, thus minimizing the likelihood that unauthorized parties can "take over" the session. This is typically achieved by provisioning a logout option on the user interface you provide to your users. Multiple types of sessions can be created when a user logs in (e.g., local application sessions, Login 3.0 session, third-party Identity Provider sessions), and you will need to determine which of these sessions need to be terminated when the user clicks any Logout option. All configurations for logout behavior must be handled by the UPBOND team.

Best Practice

Your logout behavior should make it clear to a user which session(s) are being terminated, and ideally, will display a visual confirmation of logout afterward.

When configuring logout behavior, consider:

• Which sessions should be terminated when the user initiates logout?

• What information should you provide to users as confirmation of the sessions terminated?

• Where should users be redirected to after logout completes?

• How long do you want sessions to last in the event that users do not trigger the logout process?

Types of Logout

Given the varying types of sessions that can be created whenever a user logs in, there are several types of logout possible. Local application logout ends the session with the application, whereas Login 3.0 logout terminates the Login 3.0 session. If you have organizations that are using their own IDP, you may want to consider a Federated Logout strategy and implement accordingly. Global, or Single Logout (SLO), ends the Login 3.0 session and also sends a logout request/notice to applications relying on the Login 3.0 session.

The functionality provided by your application, as well as your use of features like Single Sign-on (SSO), will inform your decision as to what type of logout is required and what visual confirmation you'll need to provide to your users. Regardless of which option you choose, the logout process you implement should make it clear to the user which sessions are being terminated and when the logout process has completed.

If the logout feature in one application terminates a Login 3.0 SSO session that is used by other applications, the user may lose work if they have uncommitted transactions. Be sure to add the functionality needed to handle such conditions to minimize the likelihood of lost work.

Where to Send Users After Logout

Once your user logs out, they will be redirected to a specific location of your choosing. This location is specified as the logout redirect URL. The URL(s) used to redirect users after logging out must be allowlisted to mitigate open-redirect security vulnerabilities. All redirect URL configurations must be requested and managed by the UPBOND team.

If the user logs out and you redirect them back to the application, and the application redirects to an Identity Provider that still has a valid session for the user, the user will be logged in silently to the application. This may appear to the user as if the logout process didn't function properly.

Automatic Termination of Sessions

Not all users will trigger the logout process manually, so Login 3.0 also provides session timeout to prevent overly long-lived sessions. All session timeout settings and configurations must be requested and handled by the UPBOND team.