Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Introduction

Once you log in to the application using an external provider, you are authenticated in both CoreOne Suite and the external provider.

When you log out, you are only logged out of CoreOne Suite. The decision of whether to also log out from the external provider is up to the customer, as there are valid arguments both for and against doing so.

Setup

Logout from external provider is implemented only for OIDC providers

On the DEV test environment, logout from external provider is configured for both SwissId and KeyCloak. You should be able to just run and test it. But below we will go though the configuration and see what is where (smile)

This is external provider configuration for KeyCloak (servicecorelogin_external_logon_provider table):

{
   "clientid": "cos",
   "clientsecret": "0lLM43yeXPKtBzyH7s3p5mKzWGS1dLVT",
   "authority": "http://localhost:8080/realms/master/",
   "useuserinfoendpoint": true,
   "requirehttpsmetadata": false,
   "useiframelogoutwithidtokenhint":true
 }

You can see useiframelogoutwithidtokenhint is set to true. This has to be set for the logout to work.

Standard OIDC does not require to send id_token_hint when logout but it is required by both SwissId and KeyCloak. When Identity Server does logout - it also send id_token_hint

IFrame is used during logout, so please check that you have servicecorelogin_external_logon_provider.trusted_address set. Otherwise CSP can block the request.

Login

During authentication to external provider the id_token will be saved to CoreOne Suite cache. The reference to the token will ba saved in cookie external_id_token_ref_{auth_scheme}(for multiple browser scenario).

Logout

Based on cookie, the id token is found.

On the logout page the iFrame is rendered with logout request to external provider. It should contain id_token_hint.

Cleanup

During logout we remove id_token that was used as it is not needed anymore. There will be situations when these tokens won’t be removed as no logout was invoked (like when browser simply closed). That means there will be obsolete id_tokens hanging in our cache.

To clean them up there is a process that you can set up using 131, 132 settings Settings .

  • No labels

© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.