Guidelines for the Single Logout Confirmation Page

To support single logout, you should have a logout confirmation page at your site. This page lets the user know they are logged out.

The logout confirmation page must satisfy the following criteria:

If the single logout is initiated at the Service Provider, the logout confirmation page should be an unprotected local resource at the Service Provider site.
If single logout is initiated at an Identity Provider site, the logout confirmation page should be an unprotected local resource at the Identity Provider site.
The page cannot be a resource in a federation partner domain. For example, if the local domain is ca.com, the SLO confirmation page cannot be in the example.com domain.

To receive feedback about a logout failure, the logout confirmation page should also support the following:

Be able to handle Base 64-encoded data and read cookies.
The page at the Idp and SP should contain code that looks for a SIGNOUTFAILURE cookie. This cookie is set in the user's browser if single logout fails, and it contains the Partner IDs of the federation sites where logout failed. These IDs are base 64-encoded and if multiple IDs are listed, they are separated by a space character.
By configuring the logout confirmation page to look for this cookie, the page can inform the user where the logout failed, which is useful in networks where a user is logging out from multiple partner sites.

Additionally, if the SIGNOUTFAILURE cookie is found, the logout confirmation page should inform users to close the web browser to remove all session data.