You are viewing the documentation for Blueriq 14. Documentation for other versions is available in our documentation directory.
When the user logs out from a Blueriq application, there are two possible outcomes:
- the user logs out from Blueriq only
- the user logs out from both Blueriq and the identity provider, effectively ending the Single-Sign-On session
The outcome is controlled through the blueriq.security.openid-connect.sso-logout property: when set to true, a logout from Blueriq will also trigger a logout from the identity provider by redirecting the user to the provider's End Session Endpoint.
When using SSO logout, the blueriq.security.openid-connect.end-session-endpoint property must be correctly configured. If the end-session-endpoint property is empty or not a valid HTTP URL, the Runtime will generate an error.
This functionality requires the identity provider to support OpenID Connect Session Management 1.0, which is an optional part of the OpenID Connect specification. The Runtime implements Relying Party Initiated Logout.
When redirecting to the End Session Endpoint of the Identity Provider, The Runtime will send the post_logout_redirect_uri parameter pointing to the standard Blueriq logout page (http://<host>:<port>/<context>/server/session/logout.html). The identity provider will redirect the user back to this page after having logged the user out.
Development Tools Component Security Considerations
When the Development Tools Component is in use and standard security settings are in effect, the redirect to the End Session Endpoint will be blocked due to Security: Clickjacking protection. To enable SSO logout with the Development Tools Component, the domain of the identity provider must be added to the "default-src" policy. We recommend adding this property in the application-development-tools.properties file, so it only takes effect when the Development Tools Component is active.
# allow redirecting to the identity provider at example.com blueriq.security.click-jacking-protection.content-security-policy.default-src='self' example.com
Example Configuration
In order to enable SSO logout, sso-logout property must be true and the URL to the End Session Endpoint must be set, as in the following example:
blueriq.security.openid-connect.sso-logout=true blueriq.security.openid-connect.end-session-endpoint=http://example.com/auth/realms/master/protocol/openid-connect/logout
Logout from auth0.com
Auth0.com does not expose the end_session_endpoint
in the metadata, but it defines GET <domain>.auth0.com/v2/logout
for the same purpose. If the discovery feature is turned on and the sso-logout
property is set true, the login in a secured Blueriq application will return an error because the REQUIRED end_session_endpoint
is missing from the auth0.com configuration metadata response. There is no fallback for reading the end-session-endpoint
from the property file if it is not found in the identity provider metadata, so we advice the following when using aut0.com:
- Either don't use discovery and specify the
end-session-endpoint
manually
Or - Set
sso-logout
to false when using discovery feature, but in that case, the logout will not work.