Skip to main content

Single Sign-out

Single Sign-out enables session termination on multiple software systems via a single logout endpoint.

OIDC Front-Channel Logout

Pomerium supports Front-Channel Logout as described in OpenID Connect Front-Channel Logout 1.0 - draft 04.

Provider Support

To find out if your identity provider (IdP) supports Front-Channel Logout, have a look at the at your IdP's /.well-known/openid-configuration endpoint. On standard compliant providers it would contain:

"frontchannel_logout_session_supported": true


You need to register a frontchannel_logout_uri in your OAuth 2.0 Client settings. The url gets handled by the Authenticate Service under the path /.pomerium/sign_out (e.g

The endpoint

See Pomerium's /.well-known/pomerium endpoint for the sign-out page's uri. For example,

"authentication_callback_endpoint": "",
"jwks_uri": "",
"frontchannel_logout_uri": ""

Note, a CSRF token is required for the single sign out endpoint (despite supporting GET and POST) and can be retrieved from the X-CSRF-Token response header on the well known endpoint above or using the _pomerium_csrf session set.