Logout options for Single Sign On using GAM

Official Content
This documentation is valid for:

Regarding Single Sign On in applications using GAM, there are three different ways to implement a Logout.

First, the following has to be taken into account:

       

  1. The Single Sign On feature behaves as explained in GAM SSO flow of execution. Note that in this architecture there are n client applications (*) and an Identity Provider. All of them have their own GAM.
     
  2. Internally, when the user logs in using the Identity Provider, a user session is created locally (on the local GAM), and two sessions are created on the Identity Provider's GAM. The sessions created on the server IP (from now on, Identity Provider) are the following:
  • The session associated with the pair User - Client. Killing this session removes the user's Identity Provider connection.
  • The user session on the server IP. Killing this session removes the possibility of establishing a new connection to the Identity Provider without performing a new login.

        3. Performing GAMsession.logout on the client without considering any of the options below, does not perform the server logout.

 (*) "client application" means an applications running in a browser/device.

  Examples:  

  •    one browser with three tabs opened with App1, App1, App2 means two "client applications" (i.e. App1 and App2).
  •    one browser with three tabs opened with App1, App1, App2 and another browser in the same device (or not) with App1 and App3 opened means four "client applications" (i.e. App1 and App2 for one side and App1 and App3 for the other side)

Basically, the Logout can be Client-Side exclusively (so the server's user session is kept alive), Identity Provider & Client (the user session on the server IP is killed), and Identity Provider & All Clients (all the client application's sessions are killed for the user, as well as the user session on the server IP).

Client-Side Only

In this scenario, the session associated with the pair User - Client application is killed. Killing this session removes the user's Identity Provider connection. The next time he wants to log in from this client application, the server's Identity Provider session will be used if it remains alive (if it hasn't timed out).

The flow is as follows:

  1. Logout is performed on the client and the user session on the client's GAM database is killed.
  2. The session associated with the pair User - Client application is killed. However, the user's session is kept alive on the server.

Finally, a redirect is done to the GAM Application logout object of the client application where the log out was executed.

i2016_09_02_22_48_436_png

Identity Provider & Client

  1. Logout is done on the client and the user session on the client's GAM database is killed.
  2. The session associated with the pair User - Client application is killed.
  3. The user session on the server Identity Provider is killed. Then, if the user tries to log in, since the server session doesn't exist, he will be asked to enter his credentials again to log in to the Identity Provider. The user remains logged into the other applications while the local session in those applications is alive. 

Finally, a redirect is done to the GAM Application logout object of the client application where the log out was executed.

i2016_09_02_22_47_035_png

Identity Provider & All Clients

  1. Logout is performed on the client and the user session on the client's GAM database is killed.
  2. For all the client applications, the session associated with the pair User - Client application is killed.
  3. The user session is killed on the server.
  4. For each application, the user session on the client application's GAM database is killed.

Finally, a redirect is done to the GAM Application logout object of the client application where the log out was executed.

i2016_09_02_22_44_564_png

Using the Identity Provider & All clients options, since GeneXus 15 Upgrade 11 if the final users logsout from the Identity Provider, the client sessions (who run in the same browser instance) are also finished.

How to configure the Logout options for SSO

The option is configured using the GAM Web Backoffice under the Identity Provider's Repository Configuration (or programmatically, using the GAM API).

i2016_09_02_22_38_572_png

 

 




Was this page helpful?
What Is This?
Your feedback about this content is important. Let us know what you think.