Configure OpenID Connect SSO log out

Configure log out from the OpenID Connect Single Sign on (SSO) authentication server after an application ends.

In General

The Genero delegate service, OpenIDConnectServiceProvider, automatically redirects the user agent to the OpenID Connect end session URL (if specified). Normally, you do not need to configure this logout if you have an OpenID delegate service set for your application.

As Identity providers generally have not yet implemented the logout session management protocol, then a configuration is required. You use the SSO tags, IDP_LOGOUT_URL and SIGN_OFF, in the DELEGATE element to specify the logout.

If you do not specify SSO log out options in the application configuration, on closing the application the user will not be logged out from the IdP. This is the equivalent of specifying <SIGN_OFF>FALSE</SIGN_OFF> in the DELEGATE element.

Troubleshooting

Google does not follow the OpenID-Connect protocol fully. If your IdP provider is Google, for example, the following configuration shows how to implement the logout.

The delegation SSO log-out feature is provided in FGLGWS and GAS version 3.20.

  1. Add a DELEGATE element in your application configuration (xcf) file.

    Within the DELEGATE element, the GOOGLE_OPENID_PUBLIC_ID and GOOGLE_OPENID_SECRET_ID are values got when registering your GAS on Google developer console.

    <?xml version="1.0" encoding="UTF-8"?>
    <APPLICATION Parent="defaultgwc" >
      <EXECUTION>
        <PATH>$(res.deployment.path)</PATH>
        <MODULE>MyApp.42r</MODULE>
        <DELEGATE service="services/OpenIDConnectServiceProvider">
           <IDP>https://accounts.google.com</IDP> 
           <SCOPE>email</SCOPE> 
           <CLIENT_PUBLIC_ID>GOOGLE_OPENID_PUBLIC_ID</CLIENT_PUBLIC_ID>
           <CLIENT_SECRET_ID>GOOGLE_OPENID_SECRET_ID</CLIENT_SECRET_ID>
           <IDP_LOGOUT_URL>https://www.google.com/accounts/Logout?continue=
               https://appengine.google.com/_ah/logout?continue=</IDP_LOGOUT_URL>
           <SIGN_OFF>QUERY</SIGN_OFF>
        </DELEGATE>
      </EXECUTION>
      </AUTO_LOGOUT>
      <END_URL>http://www.4js.com</END_URL>
    </APPLICATION>
  2. Add an IDP_LOGOUT_URL parameter in the DELEGATE element

    The URL represents the log out page of the Google IdP authentication server. This URL requirement varies depending on the IdP used.

  3. Add a SIGN_OFF parameter.
    This parameter allows for three possible log out methods from the IdP authentication server:
    • TRUE. Closing the application will perform SSO log out. Restarting the application, the user is prompted for SSO login.
    • FALSE. Closing the application will not perform SSO log out. Restarting the application, the user is not prompted for SSO login.
    • QUERY. (default value) Closing the application, the user is prompted with the options to log out of the SSO or not.

      If the user elects to log out, the IdP needs to redirect back to the user agent too, so it is recommended to also specify an application END_URL.