Enable Single Logout for SAML with AWS Cognito

Learn how to configure Amazon Cognito and your identity provider (IdP) so that SAML users can fully sign out of Reltio.

Prerequisites

You must have administrator access to your Amazon Cognito User Pool and to your identity provider (IdP).

Context

When you enable Single Logout (SLO), Reltio can redirect users to Amazon Cognito and your IdP to terminate the session completely. This ensures that users are prompted to enter credentials again after they log out

To enable Single Logout with AWS Cognito:

In Amazon Cognito, open your User Pool and navigate to Authentication > Social and external providers > {your SAML provider}.
Select Edit.
Select Enable signout flow and Sign SAML requests to this provider, and download the Cognito signing certificate.
Navigate to Authentication > App clients > {your web client} > Applications > Login pages.
Add your Reltio logout landing page under Allowed sign-out URLs.
In your IdP, upload the Cognito signing certificate.
Enable Single Logout and Signed requests.
Set the Single Logout URL to your Cognito logout endpoint.
Export the IdP metadata with the logout settings and update your Cognito SAML provider configuration with it.

After you complete this configuration:

The Revoke token API response includes a logoutUri parameter when your tenant is configured for SAML logout.
You must redirect the user’s browser to logoutUri after a successful revoke to clear Cognito session cookies, and return users to the IdP login page.

Unify and manage your data

Enable Single Logout for SAML with AWS Cognito

Footer