You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.

When the user logs out from a Blueriq application, there are two possible outcomes:

  • the user logs out from Blueriq only
  • the user logs out from both Blueriq and the identity provider, effectively ending the Single-Sign-On session


The outcome is controlled through the blueriq.security.openid-connect.sso-logout property: when set to true, a logout from Blueriq will also trigger a logout from the identity provider by redirecting the user to the provider's End Session Endpoint.

When using SSO logout, the blueriq.security.openid-connect.end-session-endpoint property must be correctly configured, either by setting the property or by discovery. If the end-session-endpoint property is empty or not a valid HTTP URL, the Runtime will generate an error.

This functionality requires the identity provider to support OpenID Connect Session Management 1.0, which is an optional part of the OpenID Connect specification. The Runtime implements Relying Party Initiated Logout.


When redirecting to the End Session Endpoint of the Identity Provider, the Runtime will send the post_logout_redirect_uri parameter pointing to the standard Blueriq logout page (http://<host>:<port>/<context>/server/session/logout.html). The identity provider will redirect the user back to this page after having logged the user out.

Alternatively, if the Material theme is used, the theme will send the post_logout_redirect_uri parameter pointing to the logged-out route.


Development Tools Component Security Considerations

When the Development Tools Component is in use and standard security settings are in effect, the redirect to the End Session Endpoint will be blocked due to  Security: Clickjacking protection. To enable SSO logout with the Development Tools Component, the domain of the identity provider must be added to the "default-src" policy. We recommend adding this property in the application-development-tools.properties file, so it only takes effect when the Development Tools Component is active.


application-development-tools.properties
# allow redirecting to the identity provider at example.com
blueriq.security.click-jacking-protection.content-security-policy.default-src='self' example.com


Example Configuration

In order to enable SSO logout, sso-logout property must be true and the URL to the End Session Endpoint must be set, as in the following example:


application.properties
blueriq.security.openid-connect.sso-logout=true
blueriq.security.openid-connect.end-session-endpoint=http://example.com/auth/realms/master/protocol/openid-connect/logout

Logout from auth0.com

Auth0.com does not expose the  end_session_endpoint in the metadata, but it defines GET <domain>.auth0.com/v2/logout for the same purpose. If the discovery feature is turned on and the sso-logout property is set true, the login in a secured Blueriq application will return an error because the REQUIRED end_session_endpoint is missing from the auth0.com configuration metadata response. There is no fallback for reading the end-session-endpoint from the property file if it is not found in the identity provider metadata, so we advice the following when using aut0.com:

  • Either don't use discovery and specify the end-session-endpoint manually
    Or
  • Set sso-logout to false when using discovery feature, but in that case, the logout will not work.



  • No labels