You can configure the OpenID Connect (OIDC) Relying Party (RP) Trust Association
Interceptor (TAI) to log a user out of an OpenID provider when the WebSphere® Application Server logout is complete.
The HttpServletRequest.logout()
and form logout methods make the OIDC TAI remove
the information to log out a single sign-on (SSO) user from the WebSphere Application Server. Some OpenID Connect providers leave information in
the browser that keeps the user logged in to the OP to preserve the functions of SSO. If the user
goes to a URL protected by the OP again, credentials are not needed even though the user logged out
of the WebSphere Application Server. This behavior might not be desirable for
some use cases.
Before you begin
Make sure that your OpenID Connect Provider (OP) has an end session endpoint. If your OP has a
discovery endpoint, check the discovery output for the end_session_endpoint
parameter. Contact your administrator to get your end-session endpoint if your OP does not have a discovery endpoint. Use form logout or enable your application for programmatic logout.
About this task
By setting the endSessionEndpointEnabled
property and the
provider_<id>.endSessionEndpoint
property, a user's login credentials are
removed when they log out. Optionally, you can set your OP to redirect to a separate page after the
user logs out. You can also specify a logout page optionally by using a form logout request.
Procedure
- Set the
endSessionEndpointEnabled
property in your OIDC TAI
configuration.
provider_<id>.endSessionEndpointEnabled=true
- If no value is configured for the
provider_<id>.discoveryEndpointUrl
property, set the provider_<id>.endSessionEndpoint
property to the value of the
end session endpoint on your OIDC provider.
If the provider_<id>.discoveryEndpointUrl
property is configured, the
provider_<id>.endSessionEndpoint
property is set up automatically.
- Optional: Set the
provider_<id>.endSessionRedirectUrl
property to the endpoint to which you want the OP to redirect after logout. The value for this
parameter is passed as the value for the post_logout_redirect_uri
parameter in the
logout request to the OP.
- If you provide a value for the
provider_<id>.endSessionRedirectUrl
property,
you must also configure your OP to be aware of the endpoint. The OIDC RP-Initiated Logout 1.0 specification requires that OPs only redirect to
post_logout_redirect_uri
values that they recognize, thus avoiding unrecognized
redirections.
- Consult your OP documentation for the behavior that you experience when the
post_logout_redirect_uri
parameter is not included in the logout request.
- Optional: If you want to use the value for the
logoutExitPage
parameter, set the endSessionUseLogoutExitPage
property to true. This value is found on a form logout request that dispatches the
ibm_security_logout
parameter to a special internal form-logout servlet. The value
for the logoutExitPage
parameter is a dynamic value for the
provider_<id>.endSessionRedirectUrl
property.
provider_<id>.endSessionUseLogoutExitPage=true
If the provider_<id>.endSessionUseLogoutExitPage
configuration is set to
true
, the OIDC TAI uses the value that is specified in the
logoutExitPage
parameter without any modifications. If the value is relative, then
a relative value is included in the logout request that is sent to the OP.
- Optional: If any of your applications use form logout and the value for the
provider_<id>.endSessionRedirectUrl
property is a URL that does not address the
current JVM, make sure the com.ibm.websphere.security.allowAnyLogoutExitPageHost
core security custom property is set to true
.