How autologout prompt is implemented on SSO

The prompt feature can authenticate the user and resume the application after an auto-logout event.

If the auto_logout PROMPT element is configured, when an AUTO_LOGOUT timeout is reached, the user-agent displays a screen or page to notify the user that a re-login is required if the user wants to continue. If the user clicks on the re-login button, the user agent is redirected to a URL specified by the PROMPT configuration element.

The URL query string

The uaproxy adds a query string to the URL specified by the PROMPT that may contain the following:
  • Application session id. (session=ua_session_id in the URL examples)
  • Timeout value. (timeout=prompt_timeout in the URL examples)
  • An entry from the FGL_AUTO_LOGOUT_PROMPT_QUERY environment variable, if set at uaproxy start up.

Examples of the prompt and query strings are shown for both URL and DELEGATE types of re-login:

URL re-login

The URL type represents an absolute URL, that the user-agent is redirected to when the user wants to re-log in.
Warning: When using PROMPT of Type URL, no security check is done to ensure that the request to resume the application comes from a valid user. Use prompt of type URL only for prototyping purposes.
http://myserver/reauthenticate?session=ua_session_id&timeout=prompt_timeout&prompt=prompt_id

DELEGATE re-login

The DELEGATE type represents the delegate service the user-agent is redirected to when the user wants to re-log in.

Note: The delegate URL is directed to the Genero Application Server SSO OpenID Connect Service provided in the FGLGWS package. The Web services URL is concatenated with Prompt, which provides this re-login service.
http://localhost:6394/gas/ws/r/services/OpenIDConnectServiceProvider/Prompt?session=ua_session_id&timeout=prompt_timeout&prompt=prompt_id"
Depending on the URL, you must handle the authentication of the user based on the query string provided. Once the user is authenticated, you must redirect the user agent back to the application on the GAS with a URL of the form:
http://host:port/gas/ua/resume/session_id

Application restart via URL

The uaproxy will remove the screen hiding the application, and the user resumes the application.

Application restart via DELEGATE

When an application stops, a new cookie named Genero-END is set by the GAS. If you need to detect at application restart how the application previously stopped, the cookie value will indicate this as follows:

  • Disconnected: indicates the application stopped due to the auto logout timeout.
  • Closed: indicates the application was stopped by user-action.
The cookie allows you to choose (via your delegate application start mechanism, for instance) if you want to force new credentials query (in case of disconnection ) or not (in case of normal close).
Note: Genero-END is not generated on first starting the application. As the cookie is not persistent, if you close the browser, the cookie is discarded.

Handling the application restart involves the following:

  • The dispatcher forwards the /ua/resume request (with all cookies) to the delegate service via the delegate mechanism in order to validate user tokens that may have been set during the credential validation process.
  • If the user credentials are valid, the delegate service responds with the HTTP code 307 and an HTTP response phrase of _GENERO_INTERNAL_DELEGATE_ in order to resume the ua application. See How to implement delegation for more details.
  • If the user credentials are not valid, the delegate service returns an HTTP response that is displayed in the user-agent window to indicate the errors.