Configure SSO logout
When an application ends, is the user logged out from the Single Sign-On authentication server when using the OpenIDConnect service provider? It depends; configuration may be required.
Most identity providers have not implemented the logout session management protocol. Typically,
you will need to configure how the logout from the SSO IdP is handled by setting
IDP_LOGOUT_URL
and SIGN_OFF
parameters in the
DELEGATE
element of your application configuration file (xcf).
- For an IdP using OAuth2 SSO, you provide the IdP end_session_endpoint when registering endpoints with Genero OpenIDConnectServiceProvider service using the ImportOAuth tool. For details about configuring for OAuth logout, go toOAuth2 logout.
- For an IdP using OpenID Connect SSO, the end_session_endpoint is provided in the metadata that is fetched when our OpenIDConnectServiceProvider automatically registers the IdP. For details about configuring for OpenID Connect logout, go to OpenID Connect logout.
Additionally, different IdP providers may require different configuration options. Refer to your IdP's documentation for information about their SSO logout options.
OAuth2 logout
end_session_endpoint registered? | Default | Application configuration | ||||
---|---|---|---|---|---|---|
No | The user will not be logged out by default; the default value of SIGN_OFF is
FALSE |
To perform a logout, you must get the end_session_endpoint from your
IdP and configure both the If the user elects to log out, the IdP needs to redirect back to the
user agent; therefore, it is recommended to also specify an application
SIGN_OFF and IDP_LOGOUT_URL parameters
in your application configuration file (xcf).
END_URL .
For an example configuration, go to Example application configuration for SSO logout |
||||
Yes | By default, the user will be asked each time if they wish to log out; default value of
SIGN_OFF is QUERY . |
The end_session_endpoint provided at registration will be used to send the
logout request.
END_URL . For
an example configuration, go to Example application configuration for SSO logout |
OpenID Connect logout
end_session_endpoint registered? | Default | Application configuration | ||||
---|---|---|---|---|---|---|
No | The user will not be logged out by default; the default value of SIGN_OFF is
FALSE |
To perform a logout, you must get the end_session_endpoint from your
IdP and configure both the If the user elects to log out, the IdP needs to redirect back to the
user agent; therefore, it is recommended to also specify an application
SIGN_OFF and IDP_LOGOUT_URL parameters
in your application configuration file (xcf).
END_URL .
For an example configuration, go to c_sso_delegate_openidconnect_sso_idp_logout.html#c_sso_delegate_openidconnect_sso_idp_logout__d71e440 |
||||
Yes | The user will be logged out by default; the default value of SIGN_OFF is
TRUE . |
The end_session_endpoint provided by the IdP’s metadata will be used to send
the logout request, unless you want to provide a different one by setting both
IDP_LOGOUT_URL and SIGN_OFF in your application configuration file.
END_URL . For
an example configuration, go to Example application configuration for SSO logout |
Example application configuration for SSO logout
This example shows a typical application configuration for SSO
logout from an IdP using OAuth2 or OpenID Connect SSO. For more information about
DELEGATE
, refer to the Genero Application Server User Guide.
<APPLICATION xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Parent="defaultgwc"
xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/5.00/cfextwa.xsd">
...
<EXECUTION>
...
<DELEGATE service="services/OpenIDConnectServiceProvider">
<IDP>https://myIdp.com</IDP>
...
<CLIENT_PUBLIC_ID>myIdp_PUBLIC_ID</CLIENT_PUBLIC_ID>
<CLIENT_SECRET_ID>myIdp_SECRET_ID</CLIENT_SECRET_ID>
<IDP_LOGOUT_URL>https://myIdp/logout</IDP_LOGOUT_URL>
<SIGN_OFF>QUERY</SIGN_OFF>
</DELEGATE>
</EXECUTION>
<END_URL>https://myserver/gas/ua/r/myapp</END_URL>
</APPLICATION>
Where: - In the
IDP_LOGOUT_URL
parameter, the URL in the example represents the logout page of the IdP authentication server. - In the
SIGN_OFF
parameter, the logout method is set toQUERY
, where the user will be asked each time if they wish to log out. TheSIGN_OFF
options are:TRUE
. Closing the application will perform an SSO logout. Restarting the application, the user will be prompted for SSO login.FALSE
. Closing the application will not perform an SSO logout. Restarting the application, the user will not be prompted for SSO login.QUERY
. Closing the application, the user is asked whether to log out of the SSO.
- In the
END_URL
element, the URL is set to redirect back to the user agent after the logout.
Configure SSO logout from Amazon Cognito
To configure SSO logout from the Amazon Cognito authentication server, you must configure both the Genero OpenIDConnect service configuration file and your application configuration file.
The Genero OpenIDConnect service
configuration file at
$FGLDIR/web_utilities/services/openid-connect/res/configuration needs to be set
up to use variables ( "client_id"
and "logout_uri"
) for the logout
procedure.
The values for these variables are set from the IDP_LOGOUT_URL
parameter in the application configuration (xcf) file of your application using
SSO. In the application configuration file, you must also specify the specific logout method in the
SIGN_OFF
parameter.
Steps to configure OpenIDConnect:
Steps to configure application
Troubleshooting OpenIDConnect and Google IdP
Google does not follow the OpenID-Connect protocol fully. If your IdP provider is Google, the following steps show how to implement the logout.
DELEGATE
element in your application configuration
(xcf) file.
Within the DELEGATE
element, the GOOGLE_OPENID_PUBLIC_ID
and GOOGLE_OPENID_SECRET_ID
are values received when registering your Genero
Application Server on the Google developer console.
<?xml version="1.0" encoding="UTF-8"?>
<APPLICATION Parent="defaultgwc" >
<EXECUTION>
<PATH>$(res.deployment.path)</PATH>
<MODULE>MyApp.42r</MODULE>
<DELEGATE service="services/OpenIDConnectServiceProvider">
<IDP>https://accounts.google.com</IDP>
<SCOPE>email</SCOPE>
<CLIENT_PUBLIC_ID>GOOGLE_OPENID_PUBLIC_ID</CLIENT_PUBLIC_ID>
<CLIENT_SECRET_ID>GOOGLE_OPENID_SECRET_ID</CLIENT_SECRET_ID>
<IDP_LOGOUT_URL>https://www.google.com/accounts/Logout?continue=
https://appengine.google.com/_ah/logout?continue=</IDP_LOGOUT_URL>
<SIGN_OFF>QUERY</SIGN_OFF>
</DELEGATE>
</EXECUTION>
<AUTO_LOGOUT>
<TIMEOUT>30</TIMEOUT>
</AUTO_LOGOUT>
<END_URL>http://www.4js.com</END_URL>
</APPLICATION>
- In the
IDP_LOGOUT_URL
parameter, the URL in the example represents the logout page of the Google IdP authentication server. - In the
SIGN_OFF
parameter, the logout method is set toQUERY
, where the user will be asked each time if they wish to log out. TheSIGN_OFF
options are:TRUE
. Closing the application will perform an SSO logout. Restarting the application, the user will be prompted for SSO login.FALSE
. Closing the application will not perform an SSO logout. Restarting the application, the user will not be prompted for SSO login.QUERY
. Closing the application, the user is asked whether to log out of the SSO.
- In the
END_URL
element, the URL is set to redirect back to the user agent after the logout.