Configure SSO logout

When an application ends, is the user logged out from the Single Sign-On authentication server when using the OpenIDConnect service provider? It depends; configuration may be required.

Most identity providers have not implemented the logout session management protocol. Typically, you will need to configure how the logout from the SSO IdP is handled by setting IDP_LOGOUT_URL and SIGN_OFF parameters in the DELEGATE element of your application configuration file (xcf).

You will also need to consider if and how the IdP logout end_session_endpoint was registered by the Genero OpenIDConnectServiceProvider service.
  • For an IdP using OAuth2 SSO, you provide the IdP end_session_endpoint when registering endpoints with Genero OpenIDConnectServiceProvider service using the ImportOAuth tool. For details about configuring for OAuth logout, go toOAuth2 logout.
  • For an IdP using OpenID Connect SSO, the end_session_endpoint is provided in the metadata that is fetched when our OpenIDConnectServiceProvider automatically registers the IdP. For details about configuring for OpenID Connect logout, go to OpenID Connect logout.
Important:

Additionally, different IdP providers may require different configuration options. Refer to your IdP's documentation for information about their SSO logout options.

OAuth2 logout

Refer to Table 1 for your configuration options depending on whether the end_session_endpoint has been registered.
Table 1. OAuth2 logout configuration
end_session_endpoint registered? Default Application configuration
No The user will not be logged out by default; the default value of SIGN_OFF is FALSE
To perform a logout, you must get the end_session_endpoint from your IdP and configure both the SIGN_OFF and IDP_LOGOUT_URL parameters in your application configuration file (xcf).
SIGN_OFF IDP_LOGOUT_URL
Specify a value for SIGN_OFF. For example, QUERY and the user will be asked each time if they wish to log out, or TRUE and the user will be logged out by default. Specify the end_session_endpoint in the IDP_LOGOUT_URL
If the user elects to log out, the IdP needs to redirect back to the user agent; therefore, it is recommended to also specify an application END_URL. For an example configuration, go to Example application configuration for SSO logout
Yes By default, the user will be asked each time if they wish to log out; default value of SIGN_OFF is QUERY.
The end_session_endpoint provided at registration will be used to send the logout request.
SIGN_OFF IDP_LOGOUT_URL
You can specify another value for SIGN_OFF. For example, TRUE and the user will be logged out, or FALSE and the user will not be logged out. To specify a different end_session_endpoint to the one registered, set the IDP_LOGOUT_URL. This is not mandatory.
If the user elects to log out, the IdP needs to redirect back to the user agent; therefore, it is recommended to also specify an application END_URL. For an example configuration, go to Example application configuration for SSO logout

OpenID Connect logout

Refer to Table 2 for your configuration options depending on whether the end_session_endpoint has been registered.
Table 2. OpenID Connect logout configuration
end_session_endpoint registered? Default Application configuration
No The user will not be logged out by default; the default value of SIGN_OFF is FALSE
To perform a logout, you must get the end_session_endpoint from your IdP and configure both the SIGN_OFF and IDP_LOGOUT_URL parameters in your application configuration file (xcf).
SIGN_OFF IDP_LOGOUT_URL
Specify a value for SIGN_OFF. For example, QUERY and the user will be asked each time if they wish to log out, or TRUE and the user will be logged out by default. Specify the end_session_endpoint in the IDP_LOGOUT_URL
If the user elects to log out, the IdP needs to redirect back to the user agent; therefore, it is recommended to also specify an application END_URL. For an example configuration, go to c_sso_delegate_openidconnect_sso_idp_logout.html#c_sso_delegate_openidconnect_sso_idp_logout__d71e440
Yes The user will be logged out by default; the default value of SIGN_OFF is TRUE.
The end_session_endpoint provided by the IdP’s metadata will be used to send the logout request, unless you want to provide a different one by setting both IDP_LOGOUT_URL and SIGN_OFF in your application configuration file.
SIGN_OFF IDP_LOGOUT_URL
You can specify another value for SIGN_OFF. For example, QUERY and the user will be asked each time if they wish to log out, or FALSE and the user will not be logged out. If you change the SIGN_OFF method, you must also specify a different end_session_endpoint in the IDP_LOGOUT_URL – the rationale being that if the SIGN_OFF is user-defined, the logout URL should also be user-defined.
If the user elects to log out, the IdP needs to redirect back to the user agent; therefore, it is recommended to also specify an application END_URL. For an example configuration, go to Example application configuration for SSO logout

Example application configuration for SSO logout

This example shows a typical application configuration for SSO logout from an IdP using OAuth2 or OpenID Connect SSO. For more information about DELEGATE, refer to the Genero Application Server User Guide. 

<APPLICATION xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Parent="defaultgwc" 
    xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/5.00/cfextwa.xsd">
  ...
  <EXECUTION>
    ...
    <DELEGATE service="services/OpenIDConnectServiceProvider">
       <IDP>https://myIdp.com</IDP> 
       ...
       <CLIENT_PUBLIC_ID>myIdp_PUBLIC_ID</CLIENT_PUBLIC_ID>
       <CLIENT_SECRET_ID>myIdp_SECRET_ID</CLIENT_SECRET_ID>
       <IDP_LOGOUT_URL>https://myIdp/logout</IDP_LOGOUT_URL>
       <SIGN_OFF>QUERY</SIGN_OFF>
    </DELEGATE>
  </EXECUTION>
  <END_URL>https://myserver/gas/ua/r/myapp</END_URL>
</APPLICATION>
Where:
  • In the IDP_LOGOUT_URL parameter, the URL in the example represents the logout page of the IdP authentication server.
  • In the SIGN_OFF parameter, the logout method is set to QUERY, where the user will be asked each time if they wish to log out. The SIGN_OFF options are:
    • TRUE. Closing the application will perform an SSO logout. Restarting the application, the user will be prompted for SSO login.
    • FALSE. Closing the application will not perform an SSO logout. Restarting the application, the user will not be prompted for SSO login.
    • QUERY. Closing the application, the user is asked whether to log out of the SSO.
  • In the END_URL element, the URL is set to redirect back to the user agent after the logout.

Configure SSO logout from Amazon Cognito

To configure SSO logout from the Amazon Cognito authentication server, you must configure both the Genero OpenIDConnect service configuration file and your application configuration file.

About this task:

The Genero OpenIDConnect service configuration file at $FGLDIR/web_utilities/services/openid-connect/res/configuration needs to be set up to use variables ( "client_id" and "logout_uri") for the logout procedure.

The values for these variables are set from the IDP_LOGOUT_URL parameter in the application configuration (xcf) file of your application using SSO. In the application configuration file, you must also specify the specific logout method in the SIGN_OFF parameter.

Steps to configure OpenIDConnect:

  1. Configure OpenIDConnect service configuration to use client_id and logout_uri as variables for the logout procedure:
    1. Open the configuration file with a text editor: 
      $FGLDIR/web_utilities/services/openid-connect/res/configuration
    2. Set the oidc.logout.identifier setting with "client_id" and the oidc.logout.post_redirect setting with "logout_uri". Your file should have settings as in the following example: 
      oidc.logout.identifier="client_id" 
oidc.logout.post_redirect="logout_uri"

Steps to configure application

  1. Add a DELEGATE element in your application configuration (xcf) file.
    For more information about DELEGATE, refer to the Genero Application Server User Guide.

    This example shows a typical application configuration for SSO logout from Amazon Cognito.

    (Line breaks have been added to improve readability.)
    <APPLICATION xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Parent="defaultgwc" 
    xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/5.00/cfextwa.xsd">
  ...
  <EXECUTION>
    ...
    <DELEGATE service="services/OpenIDConnectServiceProvider"> 
      ...
      <IDP_LOGOUT_URL>https://generognito.auth.eu-west-2.amazoncognito.com/logout
         ?client_id=1kdfflscp5la6aj72oknk9l09s
         &logout_uri=https://eks.ym.gol.generocloud.net/gas/ua/r/authDemo
         &continue=
      </IDP_LOGOUT_URL>
      <SIGN_OFF>QUERY</SIGN_OFF>
    </DELEGATE>
  </EXECUTION>
  <END_URL>https://eks.ym.gol.generocloud.net/gas/ua/r/authDemo</END_URL>
</APPLICATION>
    Where:
    • In the IDP_LOGOUT_URL parameter, the URL in the example represents the logout page of the Amazon Cognito authentication server – values received when registering your Genero application on Amazon Cognito.
      • The ?client_id query string sets a value for the client_id variable.
      • The &logout_uri query string sets a value for the logout_uri variable.
    • In the SIGN_OFF parameter, the logout method in the example is set to QUERY, where the user will be asked each time if they wish to log out. There are three options:
      • TRUE. Closing the application will perform an SSO logout. Restarting the application, the user will be prompted for SSO login.
      • FALSE. Closing the application will not perform an SSO logout. Restarting the application, the user will not be prompted for SSO login.
      • QUERY. Closing the application, the user is asked whether to log out of the SSO.
    • In the END_URL element, the URL is set to redirect back to the user agent after the logout.

Troubleshooting OpenIDConnect and Google IdP

Google does not follow the OpenID-Connect protocol fully. If your IdP provider is Google, the following steps show how to implement the logout.

Add a DELEGATE element in your application configuration (xcf) file.

Within the DELEGATE element, the GOOGLE_OPENID_PUBLIC_ID and GOOGLE_OPENID_SECRET_ID are values received when registering your Genero Application Server on the Google developer console.

(Line breaks have been added to improve readability.)
<?xml version="1.0" encoding="UTF-8"?>
<APPLICATION Parent="defaultgwc" >
  <EXECUTION>
    <PATH>$(res.deployment.path)</PATH>
    <MODULE>MyApp.42r</MODULE>
    <DELEGATE service="services/OpenIDConnectServiceProvider">
       <IDP>https://accounts.google.com</IDP> 
       <SCOPE>email</SCOPE> 
       <CLIENT_PUBLIC_ID>GOOGLE_OPENID_PUBLIC_ID</CLIENT_PUBLIC_ID>
       <CLIENT_SECRET_ID>GOOGLE_OPENID_SECRET_ID</CLIENT_SECRET_ID>
       <IDP_LOGOUT_URL>https://www.google.com/accounts/Logout?continue=
           https://appengine.google.com/_ah/logout?continue=</IDP_LOGOUT_URL>
       <SIGN_OFF>QUERY</SIGN_OFF>
    </DELEGATE>
  </EXECUTION>
  <AUTO_LOGOUT>
     <TIMEOUT>30</TIMEOUT>
  </AUTO_LOGOUT>
  <END_URL>http://www.4js.com</END_URL>
</APPLICATION>
Where:
  • In the IDP_LOGOUT_URL parameter, the URL in the example represents the logout page of the Google IdP authentication server.
  • In the SIGN_OFF parameter, the logout method is set to QUERY, where the user will be asked each time if they wish to log out. The SIGN_OFF options are:
    • TRUE. Closing the application will perform an SSO logout. Restarting the application, the user will be prompted for SSO login.
    • FALSE. Closing the application will not perform an SSO logout. Restarting the application, the user will not be prompted for SSO login.
    • QUERY. Closing the application, the user is asked whether to log out of the SSO.
  • In the END_URL element, the URL is set to redirect back to the user agent after the logout.