Use autologout prompt with SSO
The prompt feature can authenticate the user and resume the application after an auto-logout event.
If the auto_logout PROMPT
element is configured, when an
AUTO_LOGOUT
timeout is reached, the user-agent displays a screen or page to notify
the user that a re-login is required if the user wants to continue. If the user clicks on the
re-login button, the user agent is redirected to a URL specified by the PROMPT
configuration element.
The URL query string
PROMPT
that
may contain the following:- Application session id. (session=ua_session_id in the URL examples)
- Timeout value. (
timeout=prompt_timeout
in the URL examples) - An entry from the FGL_AUTO_LOGOUT_PROMPT_QUERY environment variable, if set at uaproxy start up.
Examples of the prompt and query strings are shown for both URL
and
DELEGATE
types of re-login:
URL re-login
URL
type represents an absolute URL, that the user-agent is redirected
to when the user wants to re-log in. When using PROMPT
of Type
URL, no security check is done to
ensure that the request to resume the application comes from a valid user. Use prompt of type URL
only for prototyping purposes.
http://myserver/reauthenticate?session=ua_session_id&timeout=prompt_timeout&prompt=prompt_id
DELEGATE re-login
The DELEGATE
type represents the delegate service the user-agent is
redirected to when the user wants to re-log in.
The delegate URL is directed to the Genero Application Server SSO OpenID Connect Service provided in the FGLGWS package. The web services URL is concatenated with Prompt, which provides this re-login service.
http://localhost:6394/gas/ws/r/services/OpenIDConnectServiceProvider/Prompt?session=ua_session_id&timeout=prompt_timeout&prompt=prompt_id"
http[
s]
://host:port/gas/ua/resume/session_id
Application restart via URL
The uaproxy will remove the screen hiding the application, and the user resumes the application.
Application restart via DELEGATE
When an application stops, a new cookie named Genero-END
is set by the
GAS. If you need to detect at application restart how the application previously stopped,
the cookie value will indicate this as follows:
Disconnected
: indicates the application stopped due to the auto logout timeout.Closed
: indicates the application was stopped by user-action.
Genero-END
is not generated on first starting the application. As the cookie is
not persistent, if you close the browser, the cookie is discarded.
Handling the application restart involves the following:
- The dispatcher forwards the /ua/resume request (with all cookies) to the delegate service via the delegate mechanism in order to validate user tokens that may have been set during the credential validation process.
- If the user credentials are valid, the delegate service responds with the HTTP code 307
and an HTTP response phrase of
_GENERO_INTERNAL_DELEGATE_
in order to resume the ua application. - If the user credentials are not valid, the delegate service returns an HTTP response that is displayed in the user-agent window to indicate the errors.