Logout from Gluu Server#
OpenID Connect Single Log Out (SLO)#
The Gluu Server uses OpenID Connect to end sessions for logout. Usually a logout link is provided to the connected SP and the session is killed inside the IDP.
The workflow for single logout for two applications using OpenID Connect Front-Channel Logout would be the following:
- App-A - registers
- App-B - registers
- App-A - login to the Authorization Server (AS), in this case the Gluu Server.
- App-B - login to AS (SSO)
- App-A - calls
- AS - returns back HTML with iframes where each iframe points to all
frontchannel_logout_uriswithin this session, in our case it is
- Browser loads HTML (with all iframes, so it calls
- App-A does not know anything about
frontchannel_logout_uri_2, it just calls
/end_sessionendpoint and it's the responsibility of the AS to track it and return the correct HTML page with iframes (once iframe is loaded, it means that
frontchannel_logout_uri_2is called and app-B must log itself out).
Read the OpenID Connect Front-Channel Logout Specifications to learn more about logout with OpenID Connect.
The Shibboleth IDP (which is included in the Gluu Server) does not support single logout in any meaningful sense. Take a look at the Shibboleth wiki for more information.
To initiate SAML logout, the SP must call the Gluu Server's SAML logout URI, which can be found at:
https://<hostname>/idp/logout.jsp. Calling this URL kills the session inside the Gluu Server IDP. The SP must also initiate a session-killing operation, or can implement Force Re-Authentication as well.
It is possible to use a custom authentication script to call individual logout methods for both SAML and OpenID Connect and log out of the desired SP/RPs when the user logs out of the Gluu Server. Please see the Custom Script Guide to start writing your own custom scripts.