Jamf Pro uses IdP-initiated SAML Single Logout (SLO) during enrollment to ensure users can end all sessions started with Jamf Pro and the IdP. After users complete the enrollment process, a Logout button is available. Use the Messaging pane in User-Initiated Enrollment settings to customize the text displayed during the enrollment experience.
SLO is not available in the following scenarios:
Your IdP does not provide any SLO endpoints in the metadata.
A Jamf Pro Signing Certificate is not set up.
When SLO is not available, a message stating that the IdP session may still be active is displayed to users. This is important for Jamf Pro administrators who cannot completely log out after performing the enrollment process for other users.
To support uncommon IdP configurations, the GET binding (less secure than POST) can be used for SAML Single Logout.