SAML - provide support for Single Logout

Since this idea predates Domino's introduction of OIDC support, I would like to make a few comments about what can be done in current versions of the product.

• The "logout" user gesture in Verse and iNotes can be configured to redirect the browser to a specified URL after logout via the iNotes_WA_LogoutRedirect notes.ini. A simple redirect may not support SAML Single Logout (SLO), but this can be used to perform RP-Initiated Logout with an OIDC Provider.

• Domino 14.0 supports back-channel logout for OIDC. https://help.hcl-software.com/domino/14.0.0/admin/wn_webuserloginoidc.html?scLang=en

• Domino 14.5 Early Access 2 supports using Domino as an OIDC Provider, which includes an end_session_endpoint and support for back-channel logout. https://help.hcl-software.com/domino/14.5.0/admin/secu_use_domino_as_oidc_provider_c.html

Customers who have not yet configured SAML-based Federated Identity or who are using an identity provider that supports both SAML and OIDC may wish to consider using OIDC instead of SAML.

(Please note that Early Access builds are not suitable for use in production environments or with production data.)

yes Logout is important!

I just read about that HTTPEnableConnectorHeaders is now longer available in Domino from version 12.0.1. This means that our current workaround with a proxy server in front of Domino will stop to work. We really need to be able to Logout directly from Domino

Yes, we need this. Now we need to setup another server in front of Domino to handle logout,

SLO is much needed, this is a very valuable security feature

I agree with the poster.... we need a single SAML logout in order to provide a truly functional solution

CAS supported also needed fro SAML.