Guides

Configuring OIDC Back-Channel Single Logout

Suggest Edits

Learn more about OIDC Single Logout

Prerequisites

Web reverse proxy configuration

  • To enable SLO, apply the following configuration changes:
eai-auth = https

trigger = <junction>/oauth2/logout*
trigger = <junction>/oauth2/rplogout*
  • Configure the OP junction to include an additional extended attribute.
HTTP-Tag-Value session_index=session_index

Configuring IVIAOP

The configuration snippets for a client that participates in single logout with the logout method being back_channel.

# Copyright contributors to the IBM Verify Identity Access OIDC Provider Resources project
client_id: client_sso_slo
client_secret: "OBF:U2FsdGVkX1989Y/UBwz1BNPbIkv0hgBTcoynJtlRt56hu3TGX+5Kdi4TJ6MLMYtO" # ahwoaor82noawasg is the secret in clear text.
client_name: "AuthorizationCode with logout enabled"
enabled: true
redirect_uris:
- https://www.google.com
grant_types:
- authorization_code
response_types:
- code
- code token
token_endpoint_auth_method: default
require_pkce: true
single_logout_settings:
  logout_option: "back_channel"
  logout_endpoint: "https://application-b:3000/applogout"
  post_logout_redirect_uris: 
    - "http://application-b/traget"
    - https://resource.ibm.com/logout/landing_page.html
  required_session_id: true

Single logout flow

  1. User accesses a protected application (App A)
    a. The app detects no active session and redirects the user to the Identity Provider (OP).
  2. User authenticates with the OpenID Provider (OP)
  3. OP generates an ID token and redirects the user back to App A. The token verifies the user’s identity and may include user information and the session identifier, which can subsequently be used to perform a logout.
  4. User is granted access to App A.
  5. User accesses another protected application (App B).
  6. OP detects existing session and skips login. OP issues an ID token. This completes Single sign on.
  7. User initiates logout from one application (App B).
  8. App B sends a logout request to the OP. In the following example, an id_token_hint is sent to the logout endpoint.
https://iviaop.ibm.com/isvaop/oauth2/rplogout?id_token_hint=eyJhbGciOiJSUzUxMiIsImtpZCI6Imh0dHBzZXJ2ZXJrZXkiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiY0RoX3Q5YkhmWFlPSlhiYmhObUhZblpCMGQtTXlCdXlncEVBdU5Hb19UcyIsImF1ZCI6WyJjbGllbnQwM3NsbyJdLCJhdXRoX3RpbWUiOjE3NTU1NzY0ODcsImN1c3RvbTEiOiJiY3VzdG9tIiwiY3VzdG9tMiI6ImJjdXN0b20iLCJleHAiOjE3NTU1ODAwODcsImlhdCI6MTc1NTU3NjQ4NywiaXNzIjoiaHR0cHM6Ly93d3cuaWJtLmNvbSIsImp0aSI6ImQ3YWQ2MWIzLTQ4ZjEtNDk3MS04ODM4LWQyOTFiYjllMTliNSIsInJhdCI6MTc1NTU3NjQ4NywicnRfaGFzaCI6IlZTeHdvRXR4S2FvV01aY3otVFdNNjJSR19yVDZmWUFHQzkzUVczNVM3U1kiLCJzX2hhc2giOiI1Tm9LcmVad2dPeTVnMHNrRWticE9pX3pMOHlqdGU4ZGprTXRDWWJkSmJVIiwic3ViIjoiamVzc2ljYSJ9.B6qEz2aUaoHzqieYTGT0P-3eN-8b2GlHto9Ivz8MQw41L5b7kIqBRPFikZRPLk0xIv7fuBv1DQZWcdOqXshVfkQh0sm_TM2w_ycg55XARFKWgsCKomiCkNRiX5zShRzn8xHYU87yh9LQnDlifOkxY3U8-LFBa0yhOzLQp5ai1VpuRVBjMxBjjeKSKKZ_0BWQcMeydEL3gcT2nWBEqfliRqJ2E_Bco3W8cbx_glj_-Yh9LxaOYQM-4nsrCigut1clF5ZFcS1bI9mK76ifTY4lddMBwOgHOVsxAtdXOoKeZ2_g4Iy6DILPieHnGEIMzLGpdaZCYb8nZgpavFcIqc-_3kS9S9cE6NKv_3eDKxFdybZ3gjcnY47hLXm8AZEbtO5eSgeETMhqF6WXDqM4mwiopAbh-9ryAxShjY5SSN8xDsi9FYb3EWMzvMW3Qa6rE8FEFQcPLte30FxENSwSOME9Tj98gAKU8_n7gcFHDUOf6BhtTvl0PN1HPnRUL7LLA_MGU_nYoTFw31eYCS2TMaWJnh0iFcmZU1IAGJLxj0zer3Cxi3IvGsJ4roP8F-gsNFMxckJ0szeSGfnw75U1bwkySa41vNZf47929atgBzry_Wx_kfA1mD377V3OuzKNvM4U3wfRXK1p0CWfqY7n48VCVpUW-VKNZ0vFgU5CmW61JOQ
  1. When a user is prompted for consent to terminate their session and agrees, the session is terminated at the OP. The OP then notifies all connected applications. App A is configured for back_channel logout, so the OP sends a logout_token to the logout_endpoint.
  2. Each application performs a local logout.
  3. Users token are then revoked.
  4. If post_logout_redirect_uris are configured, and it matches the configured value of the sent parameter, the browser redirects to that URI after logout is completed. If post_logout_redirect_uris is not configured a logout summary page is displayed
https://iviaop.ibm.com/isvaop/oauth2/rplogout?client_id=client01slo&post_logout_redirect_uri=https://resource.ibm.com/logout/landing_page.html

Updated 7 days ago