Configure SAML SSO log out

Configure log out from the SAML SSO authentication server after an application ends.

The Genero delegate service, SAMLServiceProvider, automatically queries the user when closing the web application if he wants to log out from the IDP or not. You can change this behavior by setting the SSO tag called SIGN_OFF in the DELEGATE element of your application configuration.
Note:

If you do not specify SSO logout options in the application configuration, the user will not be logged out from the IdP upon closing the application. This is the equivalent of specifying <SIGN_OFF>FALSE</SIGN_OFF> in the DELEGATE element.

The delegation SSO logout feature is provided in FGLGWS and GAS version 3.20.

  1. Add a DELEGATE element in your application configuration (xcf) file. 
    <APPLICATION Parent="defaultgwc">
  <EXECUTION>
    <PATH>$(res.path.mypath)/myapplication</PATH>
    <MODULE>myapp.42r</MODULE>
    <DELEGATE service="services/SAMLServiceProvider">
       <IDP>https://idp.ssocircle.com</IDP>
       <IDFORMAT>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</IDFORMAT>
       <SIGN_OFF>TRUE</SIGN_OFF>
    </DELEGATE>
  </EXECUTION>
  </AUTO_LOGOUT>
  <END_URL>http://www.4js.com</END_URL>
</APPLICATION>
  2. Add a SIGN_OFF parameter.
    This parameter allows for three possible log out methods from the IdP authentication server:
    • TRUE. Closing the application will perform an SSO logout. Restarting the application, the user will be prompted for SSO login.
    • FALSE. Closing the application will not perform an SSO logout. Restarting the application, the user will not be prompted for SSO login.
    • QUERY. Closing the application, the user is asked whether to log out of the SSO. If the user elects to log out, the IdP needs to redirect back to the user agent; therefore, it is recommended to also specify an application END_URL.