This article is related to HowTo: Implement SSO for applications that do not use GAM.
Here you will find the two ways that an application has to do Logout:
- How to logout from the Client Application.
- How to do the Logout when it is started from the Identity Provider side.
First of all, make sure you already implemented the Single Sign On
To implement the Single Logout (SLO) your application must be logged in using Single Sign On with GAM Identity Provider.
After your logout, redirect to:
The Endpoint is: https://<idp_domain>/<virtual_dir>/oauth/gam/signout.
GET
Parms:
client_id: Application Client ID, required.
redirect_uri: The encoded redirection url to be called by the Identity Provider afterwards single logout, required.
token: access_token. This access_token it's provided by the Identity Provider when your application Sign In, required.
state: Random string that stores the status before the request, optional.
It's important to check that your redirect_uri it's included at Valid URLs after Single Logout (&GAMApplication.ClientSingleLogoutValidURLsAfterSLO) property in the Client Application within the Identity Provider's Backoffice.
If &GAMApplication.ClientSingleLogoutValidURLsAfterSLO is empty, all URLs will be valid.
See more about these properties in Identity Provider Configuration for GAM Remote Authentication.
The URL result will look like follows:
https://<idp_domain>/<virtual_dir>/oauth/gam/signout?client_id=<client_id>&redirect_uri=<redirect_uri>&token=<access_token>&state=<random_alphanumeric>
The state sended must be stored to be validated later, the latter is optional.
&redirect_uri = !"http://mydomain/myapplication/sampleobjectname.aspx" // URL after single logout
&state = GUID.NewGuid().ToString() // You must save this value.
&WebSession.Set(IdentityProviderParameters.State,&state)
&Token = &WebSession.Get(IdentityProviderParameters.RemoteToken) //Where you stored the provided access_token by the IDP.
&EncodedURL = EncodeUrl.Udp(&redirect_uri) // (1)
&url = format(!"https://<idp_domain>/<virtual_dir>/oauth/gam/signout?client_id=%1&redirect_uri=%2&token=%3&state=%4",
&ClientId.Trim(), // %1
&EncodedURL.Trim(),// %2
&Token.Trim(), // %3
&state.Trim()) // %4
link(&url)
The execution of the URL (&url) checks in the GAM Identity Provider if there is a valid session. If so, the session is finished. Afterwards, the URL specified in the redirect_uri parameter is executed by a GET HTTP and the state parameter sended by de IDP and you must validated that the value of the state received is the same as the one sent to the IDP Server.
Notes:
(1) - The code associated to the EncodeUrl Procedure is the following:
&URLEncoded = urlencode(&UrlToEncode)
Make sure to change the Standard Functions property at Object level to: allow non-standard functions.
It is a service that will call the GAM Identity Provider when one of the applications that logged in SSO now launches a sign out.
You have to implement a service that handle and receive the following parameters: client_id, redirect_uri, token and state.
client_id: My Client ID Application.
redirect_uri: The encoded redirection URL to be called by the Identity Provider afterwards single logout.
token: My access_token to finish.
state: Server state.
In this service, you will delete your application's WebSession, and redirect to the URL specified in the redirect_uri parameter.
For example, in case you received redirect_uri=https://<domain>/<virtual_dir>/oauth/gam/signout, the request will the following
GET
https://<domain>/<virtual_dir>/oauth/gam/signout
Parms:
state: Return the same value received for the service, required.
You must specify your service URL at Custom Single Logout URLs (&GAMApplication.ClientSingleLogoutCustomURLsSLO) property in the Client Application within the Identity Provider's Backoffice.
If this property is empty, by default the SLO URL is the same as the callback URL, but the /oauth/gam/signout service is called.
See more about these properties in Identity Provider Configuration for GAM Remote Authentication.
Single Sign On in applications using GAM
GAM - GAMRemote Authentication Type