Configure SAML SSO log out

Configure log out from the SAML SSO authentication server after an application ends.

The Genero delegate service, SAMLServiceProvider, automatically queries the user when closing the Web application if he wants to log out from the IDP or not. You can change this behavior by setting the SSO tag called SIGN_OFF in the DELEGATE element of your application configuration.
Note:

If you do not specify SSO log out options in the application configuration, on closing the application the user will not be logged out from the IdP. This is the equivalent of specifying <SIGN_OFF>FALSE</SIGN_OFF> in the DELEGATE element.

The delegation SSO log-out feature is provided in FGLGWS and GAS version 3.20.

  1. Add a DELEGATE element in your application configuration (xcf) file.
    <APPLICATION Parent="defaultgwc">
      <EXECUTION>
        <PATH>$(res.path.mypath)/myapplication</PATH>
        <MODULE>myapp.42r</MODULE>
        <DELEGATE service="services/SAMLServiceProvider">
           <IDP>https://idp.ssocircle.com</IDP>
           <IDFORMAT>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</IDFORMAT>
           <SIGN_OFF>TRUE</SIGN_OFF>
        </DELEGATE>
      </EXECUTION>
      </AUTO_LOGOUT>
      <END_URL>http://www.4js.com</END_URL>
    </APPLICATION>
  2. Add a SIGN_OFF parameter.
    This parameter allows for three possible log out methods from the IdP authentication server:
    • TRUE. Closing the application will perform SSO log out. Restarting the application, the user is prompted for SSO login.
    • FALSE. Closing the application will not perform SSO log out. Restarting the application, the user is not prompted for SSO login.
    • QUERY. (default value) Closing the application, the user is prompted with the options to log out of the SSO or not.

      If the user elects to log out, the IdP needs to redirect back to the user agent too, so it is recommended to also specify an application END_URL.