By: Qaiser Iftikhar user 01 Jul 2019 at 3:44 a.m. CDT

6 Responses
Qaiser Iftikhar gravatar
We have enabled Passport support in Gluu and enabled couple of external providers. Is there a way to logout of the external provider when user is logging out of gluu?

By William Lowe staff 01 Jul 2019 at 4:19 a.m. CDT

William Lowe gravatar
Do the external providers support back channel logout?

By Qaiser Iftikhar user 01 Jul 2019 at 4:47 a.m. CDT

Qaiser Iftikhar gravatar
They do support front channel logout. I am not sure if they do/don't support back channel, I have raised the query with them to check if it is supported. I will update this ticket once I have the response.

By Qaiser Iftikhar user 01 Jul 2019 at 4:49 a.m. CDT

Qaiser Iftikhar gravatar
Does gluu support back channel external provider logout? Would be helpful if you can point me to the relevant docs.

By William Lowe staff 01 Jul 2019 at 4:54 a.m. CDT

William Lowe gravatar
Logout is initiated by the application (the "SP" or "RP" depending on which protocol you're using). When the user logs out of an app, it can send the end session to the external IDPs. Keep in mind, once a user gets a session in an *external* IDP, the session is now outside the control of Gluu. Closing this ticket out, as the basic question has been answered. If you run into specific questions during implementation, please feel free to open a new ticket. But your implementation should simply depend on configuration in your app, and in your external IDPs -- i.e. not Gluu, unless the external IDPs are Gluu Servers themselves.

By Qaiser Iftikhar user 01 Jul 2019 at 5:18 a.m. CDT

Qaiser Iftikhar gravatar
I am sorry but that is not a very satisfactory answer. Also it is not a very pleasant custom service to close the ticket w/o getting the response from the customer to check if the response has actually answered the question. The application does not know if it is authenticated with an external provider, the app is authenticated with Gluu and token/session is provided by Gluu. What we are looking to achieve is when application ends session with Gluu we would like to end session with the external IDP, assuming Gluu knows which external IDP was used to authenticate user?

By Michael Schwartz staff 01 Jul 2019 at 8:01 a.m. CDT

Michael Schwartz gravatar
I re-opened the issue. This is a very tricky use case. Keep in mind that logout is an industry challenge--it's not specific to any vendor. In reality, logout is an asynchronous process: a person initiates a logout (somewhere), and then this requires coordination with a number of websites and IDP's. However, the user does not want to wait a long time for a logout confirmation. This is why the problem is asynchronous, you need to return quickly, and ideally some messages would be sent (or re-sent if necessary), until the logout is achieved. There is a new IETF effort called "Security Events" which is attempting to put together such a solution. However, don't hold your breath for websites and IDP's to support it. No one knows when and if that will happen. In the meantime, logout scenarios need to be considered , and a solution designed, on a case by case basis. You need to take into consideration all the protocols. It's common that a person logs into a SAML IDP, navigates to some SAML protected websites, and then goes to sites protected by OpenID Connect. Of course, OpenID Connect and SAML have different logout mechanisms. Also keep in mind that websites have their own application session, and perhaps their own requirements for logout (which may or may not align with federated identity standards). This can lead to a toxic combination of logout requirements. In version 3.1.6. ``` html += "<script>" + "window.onload=function() {" + "window.location='" + postLogoutUrl + "'" + "}" + "</script>"; } html += "<title>Gluu Generated logout page</title>" + "</head>" + "<body>" + "Logout requests sent.<br/>" + iframes + "</body>" + "</html>"; ``` When processing this code, oxAuth loads grant and find all the clients which assosciated with it. Passport-js is connected to oxAuth via an Authentication interception script. In this script, there is a `logout` method which is invoked at logout, and could be used to make back-channel calls. If that is not going to work, there is a custom workarounds. You can develop a custom landing page to handle the various logouts--both to the Gluu Server, and then to the respective backend IDPs. But this is outside the services provided on this support forum. Your developers, or a professional services provider would implement this solution, and ask any questions about challenges uncovered along the way here. In version 4.1, we are considering adding another custom interception script for "Person Logout", in which we would offer the ability to overwrite the default logout behaviour described above, and to enable the generation of a page according to this business logic. Hope that helps. We can keep the issue open, but let us know what is your specific question from here.