Signing out of the API if single sign-on is enabled

If single sign-on (SSO) has been enabled, you must issue a series of API requests to sign out of the Grid Management API or the Tenant Management API.

About this task

If required, you can sign out of the StorageGRID API simply by logging out from your organization's single logout page. Or, you can trigger single logout (SLO) from StorageGRID, which requires a valid StorageGRID bearer token.


  1. To generate a signed logout request, pass cookie "sso=true" to the SLO API:
    curl -k -X DELETE "https://$STORAGEGRID_ADDRESS/api/v3/authorize" \
    -H "accept: application/json" \
    -H "Authorization: Bearer $MYTOKEN" \
    --cookie "sso=true" \
    | python -m json.tool
    A logout URL is returned:
        "apiVersion": "3.0",
        "data": "",
        "responseTime": "2018-11-20T22:20:30.839Z",
        "status": "success"
  2. Save the logout URL.
    export LOGOUT_REQUEST=''
  3. Send a request to the logout URL to trigger SLO and to redirect back to StorageGRID.
    curl --include "$LOGOUT_REQUEST"
    The 302 response is returned. The redirect location is not applicable to API-only logout.
    HTTP/1.1 302 Found
    Location: https://$STORAGEGRID_ADDRESS:443/api/saml-logout?SAMLResponse=fVLLasMwEPwVo7ss%...%23rsa-sha256
    Set-Cookie: MSISSignoutProtocol=U2FtbA==; expires=Tue, 20 Nov 2018 22:35:03 GMT; path=/adfs; HttpOnly; Secure
  4. Delete the StorageGRID bearer token.

    Deleting the StorageGRID bearer token works the same way as without SSO. If cookie "sso=true" is not provided, the user is logged out of StorageGRID without affecting the SSO state.

    curl -X DELETE "https://$STORAGEGRID_ADDRESS/api/v3/authorize" \
    -H "accept: application/json" \
    -H "Authorization: Bearer $MYTOKEN" \

    A 204 No Content response indicates the user is now signed out.

    HTTP/1.1 204 No Content