Purpose and usage of <gluu server>/idp/logout.jsp

By: san jong user 22 Aug 2016 at 4:27 a.m. CDT

15 Responses
san jong gravatar
hi, we have an app (SP) that authenticate with gluu with SAML. our app has an "logout" button, which logout the application itself. if we also need to logout the SAML session on gluu server, should we call <gluu server>/idp/logout.jsp? what is the intended usage of logout.jsp? Do we add another logout button in our app's ui that redirect to <gluu server>/idp/logout.jsp upon clicking the "logout saml session" button? Thanks in advance.
CentOS66
closed

Answers

By Mohib Zico Account Admin 22 Aug 2016 at 4:59 a.m. CDT

Copy
Mohib Zico gravatar
Hi, Yes.. /idp/logout.jsp is for SAML logout from Gluu Server. You can call this ( https://hostname_of_your_Gluu_Server/idp/logout.jsp ) from your SP to perform logout from IDP side.

By san jong user 22 Aug 2016 at 5:11 a.m. CDT

Copy
san jong gravatar
hi, Thanks for your promptly reply, in following case/steps: 1. user access our app (SP), redirect to gluu login page 2. user login with gluu account, redirect to SP site 3. user logout from our app (SP) locally 4. user go to gluu server and is able to see his "profile" on gluu server 5. user logout from gluu server, by clicking the logout button. is step no. 5 above the same as calling "idp/logout.jsp"? It seems that clicking logout button on the UI doesn't kill the SAML session on gluu server, is that by design? It seems strange that we need to add an UI or something on our app to trigger the "saml logout" on gluu server, and why there isn't UI on the gluu server that perform the same task? Thanks and have a nice day.

By san jong user 22 Aug 2016 at 5:14 a.m. CDT

Copy
san jong gravatar
hi, In addition to that, after calling idp/logout.jsp, is there any way to redirect the page back to SP? Thanks

By Mohib Zico Account Admin 23 Aug 2016 at 2:07 a.m. CDT

Copy
Mohib Zico gravatar
>> user access our app (SP), redirect to gluu login page >> user login with gluu account, redirect to SP site >> user logout from our app (SP) locally If you call IDP's logout link directly from SP that should redirect your users to Gluu Server login page again.

By san jong user 23 Aug 2016 at 4:38 a.m. CDT

Copy
san jong gravatar
hi, can you please confirm the following question: Does clicking "logout" on gluu's ui (on gluu site/server) terminate all my SAML session on that gluu server? note: because on our implementation, logout from gluu server itself does NOT terminate previously authenticated SAML session.

By Mohib Zico Account Admin 23 Aug 2016 at 5:16 a.m. CDT

Copy
Mohib Zico gravatar
>> Does clicking "logout" on gluu's ui (on gluu site/server) terminate all my SAML session on that gluu server? Yes it should. >> note: because on our implementation, logout from gluu server itself does NOT terminate previously authenticated SAML session. Are you using 2.4.4? If logout happening... we need to do QA and see what's up there.

By san jong user 28 Aug 2016 at 10:18 p.m. CDT

Copy
san jong gravatar
hi, yes, the gluu version is 2.4.4. a.) logout from gluu server's ui, which calls "/identity/logout" b.) calls <gluu server>/idp/logout.jsp After performed (a) above, SP can login WITHOUT authenticate again. After performed (b) above, SP need to authenticate again. Does that means (a) above DOESN'T terminate my previously authenticated SAML session ?

By san jong user 31 Aug 2016 at 9:54 p.m. CDT

Copy
san jong gravatar
hi, why is this closed?

By Mohib Zico Account Admin 01 Sep 2016 at 2:50 a.m. CDT

Copy
Mohib Zico gravatar
Hello SS Jong, Community ticket has no SLA and they will be closed on regular course of procedure. However anyone can still insert comment in any closed ticket.

By Markus Thielen user 01 Sep 2016 at 5:27 a.m. CDT

Copy
Markus Thielen gravatar
Hi there, I was wondering what you mean with > If you call IDP's logout link directly from SP that should redirect your users to Gluu Server login page again. How does the Gluu Server determine to which SP login page it should redirect? If I simply call idp/logout.jsp, I end up with seeing the green "Logged out" page at /finishlogout. Problem is, when I click "Sign in again" the SP-context is lost and after I have logged in, I will get redirected to /identity/home instead of the SP's homepage. Any idea what I missed? :( Thank you for any feedback!

By Mohib Zico Account Admin 01 Sep 2016 at 6:26 a.m. CDT

Copy
Mohib Zico gravatar
Hi Markus, Apologies for confusion... >> How does the Gluu Server determine to which SP login page it should redirect? Not _SP Login_ but _Gluu Server login page_ which is IDP. >> If I simply call idp/logout.jsp, I end up with seeing the green "Logged out" page at /finishlogout. Correct. In our previous versions... instead of showing green "Logged out" we used to show the initial login ( oxAuth login ) page. Though it's possible to do some few tweaking and achieve that old behavior but this green login page is 'by design' now. >> Problem is, when I click "Sign in again" the SP-context is lost and after I have logged in, I will get redirected to /identity/home instead of the SP's homepage. Yes, that's perfect workflow. Whenever there is logout happening... all relationship with SP should be totally gone.

By Markus Thielen user 01 Sep 2016 at 6:39 a.m. CDT

Copy
Markus Thielen gravatar
Hi Mohib, alright. That clears up a lot for me. Though it might be a bit off-topic, can you give me a hint how to change the default route after login from /identity/home to somewhere else? Thanks Markus

By Mohib Zico Account Admin 01 Sep 2016 at 6:41 a.m. CDT

Copy
Mohib Zico gravatar
>> can you give me a hint how to change the default route after login from /identity/home to somewhere else? I think it will be helpful if you can describe the use case a bit more. Not clear much to me yet...

By Markus Thielen user 01 Sep 2016 at 6:57 a.m. CDT

Copy
Markus Thielen gravatar
oh, sorry :( So, I have a simple SAML2 scenario: 1. Go to SP Url 2. Redirect to Gluu-Login 3. Redirect back to SP all good. Now, when I logout via: 4. .../idp/logout.jsp 5. Redirect to .../finishlogout 6. Click on Sign In Again 7. Redirect to Gluu-Login 9. Logging in... After I login now, I get to the /identity/home Dashboard of the user. And it makes sense to me regarding your answer above. But from a user's perspective it doesn't make sense. He/she would expect to get back to the SP's primary page. So it really comes down to the question: When I directly login into the Gluu server (without being redirected here) - how can I change the default "Landing page" for a user after login. Best Markus

By Mohib Zico Account Admin 01 Sep 2016 at 7:33 a.m. CDT

Copy
Mohib Zico gravatar
>> He/she would expect to get back to the SP's primary page. It won't go to any SP page. User need to 'initiate login' by using SP's SSO link.

Post an answer