...
The outcome is controlled through the blueriq.security.openid-connect.sso-logout
property property: when set to to true, a logout from Blueriq will also trigger a logout from the identity provider by redirecting the user to the provider's End Session Endpoint.
Warning |
---|
When using SSO logout, the blueriq.security.openid-connect.end-session-endpoint property property must be correctly configured, either by setting the property or by discovery. If the end-session-endpoint property is empty or not a valid HTTP URL, the Runtime will generate an error. |
...
When redirecting to the End Session Endpoint of the Identity Provider, The the Runtime will send the the post_logout_redirect_uri
parameter pointing to the standard Blueriq logout page (http://<host>:<port>/<context>/server/session/logout.html). The identity provider will redirect the user back to this page after having logged the user out.
Alternatively, if the Material theme is used, the theme will send the post_logout_redirect_uri
parameter pointing to the logged-out route.
Development Tools Component Security Considerations
...
Warning |
---|
Auth0.com does not expose the end_session_endpoint in the metadata, but it defines GET <domain>.auth0.com/v2/logout for the same purpose. If the discovery feature is turned on and the sso-logout property is set true, the application won't work login in a secured Blueriq application will return an error because the REQUIRED end_session_endpoint is missing from the auth0.com configuration metadata response. There is no fallback for reading the end-session-endpoint from the property file if it is not found in the identity provider metadata, so we advice the following when using aut0.com: - Either don't use discovery and specify the
end-session-endpoint manually Or - Set
sso-logout to false when using discovery feature, but in that case, the logout will not work.
|
...