Configure SSO logout

When an application ends, is the user logged out from the Single Sign-On authentication server when using the OpenIDConnect service provider? It depends; configuration may be required.

Most identity providers have not implemented the logout session management protocol. You may need to add the SSO tags IDP_LOGOUT_URL and SIGN_OFF as children of the DELEGATE element in the application configuration to specify how the logout is handled by the SSO.

For the SIGN_OFF element, three possible logout methods are available from the IdP authentication server:

TRUE. Closing the application will perform an SSO logout. Restarting the application, the user will be prompted for SSO login.
FALSE. Closing the application will not perform an SSO logout. Restarting the application, the user will not be prompted for SSO login.
QUERY. Closing the application, the user is asked whether to log out of the SSO. If the user elects to log out, the IdP needs to redirect back to the user agent; therefore, it is recommended to also specify an application END_URL.

Additionally, how the Genero OpenIDConnectServiceProvider delegate service handles the SSO logout depends on whether an OAuth2 logout or an OpenID Connect logout is executed. Whether an OAuth2 logout or an OpenID Connect logout is executed depends on how the information for the IdP was registered by the OpenIDConnect service provider.

If the information was registered automatically by the service provider using the identity provider metadata, then OpenID Connect logout will be executed.
If the information was registered manually by the user using the ImportOAuth tool, then OAuth logout will be executed.

Important:

Different IdP providers may require different configuration options. Refer to the IdP documentation for information about the SSO logout options.

OAuth2 logout

By default, a user provides the IdP end session endpoint (if any) when registering the IdP using the ImportOAuth tool.

If no end_session_endpoint was provided at registration:

The user will not be logged out by default; the default value of SIGN_OFF is FALSE.
To perform a logout, a user has to configure both the SIGN_OFF and IDP_LOGOUT_URL elements in their configuration file.

If an end_session_endpoint was provided at registration:

By default, the user will be asked each time if they wish to log out; default value of SIGN_OFF is QUERY.
A user can specify another value for SIGN_OFF without having to specify IDP_LOGOUT_URL in their configuration file, as it has already been defined when registering the IdP with the ImportOAuth tool.
The end_session_endpoint provided at registration will be used to send the logout request, unless the user wants to specify another one by setting IDP_LOGOUT_URL in their configuration file. (This is not mandatory.)

OpenID Connect logout

By default, if the IdP provides logout functionality, it will provide the end session endpoint in the metadata that is fetched when our OpenIDConnectServiceProvider automatically registers the IdP.

If no end_session_endpoint has been provided by the IdP in its metadata:

The user will not be logged out by default; the default value of SIGN_OFF is FALSE.
To perform a logout, a user has to configure both the SIGN_OFF and IDP_LOGOUT_URL elements in their configuration file.

If an end_session_endpoint has been provided by the IdP in its metadata:

The user will be logged out by default; the default value of SIGN_OFF is TRUE.
A user can specify another value for SIGN_OFF; in that case, they must also specify IDP_LOGOUT_URL in their configuration file – the rationale being that if the sign-off is user-defined, the logout URL should also be user-defined.
The end_session_endpoint provided by the IdP’s metadata will be used to send the logout request, unless the user wants to provide a different one by setting both IDP_LOGOUT_URL and SIGN_OFF in their configuration file.

Troubleshooting OpenIDConnect and Google IdP

Google does not follow the OpenID-Connect protocol fully. If your IdP provider is Google, the following steps show how to implement the logout.

Add a DELEGATE element in your application configuration (xcf) file.

Within the DELEGATE element, the GOOGLE_OPENID_PUBLIC_ID and GOOGLE_OPENID_SECRET_ID are values received when registering your Genero Application Server on the Google developer console.

(Line breaks have been added to improve readability.)

<?xml version="1.0" encoding="UTF-8"?>
<APPLICATION Parent="defaultgwc" >
  <EXECUTION>
    <PATH>$(res.deployment.path)</PATH>
    <MODULE>MyApp.42r</MODULE>
    <DELEGATE service="services/OpenIDConnectServiceProvider">
       <IDP>https://accounts.google.com</IDP> 
       <SCOPE>email</SCOPE> 
       <CLIENT_PUBLIC_ID>GOOGLE_OPENID_PUBLIC_ID</CLIENT_PUBLIC_ID>
       <CLIENT_SECRET_ID>GOOGLE_OPENID_SECRET_ID</CLIENT_SECRET_ID>
       <IDP_LOGOUT_URL>https://www.google.com/accounts/Logout?continue=
           https://appengine.google.com/_ah/logout?continue=</IDP_LOGOUT_URL>
       <SIGN_OFF>QUERY</SIGN_OFF>
    </DELEGATE>
  </EXECUTION>
  <AUTO_LOGOUT>
     <TIMEOUT>30</TIMEOUT>
  </AUTO_LOGOUT>
  <END_URL>http://www.4js.com</END_URL>
</APPLICATION>

Add an IDP_LOGOUT_URL element as a child of the DELEGATE element.

The URL in the example represents the logout page of the Google IdP authentication server. The URL requirement varies depending on the IdP used. Typically, the URL has the format https://tenant/oidc/logout. Refer to the IdP documentation for information about the logout URL.
Add a SIGN_OFF element as a child of the DELEGATE element.
This parameter allows for three possible logout methods from the IdP authentication server:
- TRUE. Closing the application will perform an SSO logout. Restarting the application, the user will be prompted for SSO login.
- FALSE. Closing the application will not perform an SSO logout. Restarting the application, the user will not be prompted for SSO login.
- QUERY. Closing the application, the user is asked whether to log out of the SSO. If the user elects to log out, the IdP needs to redirect back to the user agent; therefore, it is recommended to also specify an application END_URL.