Do you always close your session in Jira when you've finished tracking your work? I seriously doubt it.
Most users regularly forget to log out of their applications when they're done using them, and Atlassian tools are certainly no exception.
In single sign-on environments, that can be particularly true: since users only log in once, they may not be aware of how many open sessions they're running simultaneously.
That's why most SSO solutions include single logout in their offering. The principle is always the same: log out of one application, and the system will take care of shutting every other open session at the same time. Close your session in the Identity Provider (IdP), and all open applications will be automatically shut down.
Unfortunately, Single Logout is not included in the Data Center SSO features, so even if you have it set up on your Okta, Azure AD, or whatever the IdP of your choice is, users of Atlassian applications will not be benefitting from it.
Unless you want to embark into a custom-made solution, the Atlassian Marketplace offers SSO apps that can do the trick. In this article I'm going to give an example and show how you can enable SLO with resolution's SAML SSO apps (for full disclosure, resolution is my current employer).
But first, let me give a short reminder of why leaving sessions open is a really bad habit from a security standpoint.
When user sessions in Jira, Confluence, Bitbucket or any other Atlassian, you are vulnerable to at least two types of malicious attacks:
The following steps work for Jira, Confluence, Bitbucket, Bamboo, or Fisheye applications in both Data Center and Server hostings.
To include the SLO URLs in the SAML Metadata, simply check the box at the bottom in the Service Provider tab
There are two options here:
Go to the Identity provider tab and choose between POST and Redirect.
This step will determine the exact format for exchanging data between your IdP and your Atlassian applications.
In the same tab, make sure that the SLO URL is already loaded; if not, go ahead and set it using the format in Step 1.
Now it's time to check the settings in your IdP to make sure it fully supports your setup.
While settings will vary for each IdP, you can see a detailed explanation here for the most common Identity Providers:
For additional details, have a look at the full documentation.
Single Logout is an integral component of a full SSO solution that you'll want to set up to protect your corporate assets. Resolution's SAML SSO apps will help you set it up for both Server and Data Center hostings of your Atlassian applications.
Remember that whether SLO is possible will ultimately depend of your IdP. Although leaders in the IAM landscape include this possibility, other minor providers or custom-develop solutions may not have Single Logout capabilities.
Capi _resolution_Marketplace Partner