Page History
When the user logs out from a Blueriq application, there are two possible outcomes:
- the user logs out from Blueriq only
- the user logs out from both Blueriq and the identity provider, effectively ending the Single-Sign-On session
The outcome is controlled through the blueriq.security.openid-connect.sso-logout
property: when set to true, a logout from Blueriq will also trigger a logout from the identity provider by redirecting the user to the provider's End Session Endpoint.
Warning |
---|
When using SSO logout, the |
Info |
---|
This functionality requires the identity provider to support OpenID Connect Session Management 1.0, which is an optional part of the OpenID Connect specification. The Runtime implements Relying Party Initiated Logout. |
When redirecting to the End Session Endpoint of the Identity Provider, the Runtime will send the post_logout_redirect_uri
parameter pointing to the standard Blueriq logout page (http://<host>:<port>/<context>/server/session/logout.html). The identity provider will redirect the user back to this page after having logged the user out.
Alternatively, if the Material theme is used, the theme will send the post_logout_redirect_uri
parameter pointing to the logged-out route.
Development Tools Component Security Considerations
When the Development Tools Component is in use and standard security settings are in effect, the redirect to the End Session Endpoint will be blocked due to Security: Clickjacking protection. To enable SSO logout with the Development Tools Component, the domain of the identity provider must be added to the "default-src" policy. We recommend adding this property in the application-development-tools.properties file, so it only takes effect when the Development Tools Component is active.
Code Block | ||
---|---|---|
| ||
# allow redirecting to the identity provider at example.com
blueriq.security.click-jacking-protection.content-security-policy.default-src='self' example.com |
Example Configuration
In order to enable SSO logout, sso-logout property must be true and the URL to the End Session Endpoint must be set, as in the following example:
Code Block | ||
---|---|---|
| ||
blueriq.security.openid-connect.sso-logout=true
blueriq.security.openid-connect.end-session-endpoint=http://example.com/auth/realms/master/protocol/openid-connect/logout |
Logout from auth0.com
Warning |
---|
Auth0.com does not expose the
|