This article is related to HowTo: Implement SSO for applications that do not use GAM.
Here you will find the two ways that an application has to do Logout:
- How to logout from the Client Application.
- How to do the Logout when it is started from the Identity Provider side.
First of all, make sure you already implemented the Single Sign On
To implement the Single Logout (SLO) your application must be logged in using Single Sign On with GAM Identity Provider.
After your logout, redirect to:
The Endpoint is: https://gamidentityprovider.com/<virtual_dir>/oauth/gam/signout.
GET
Parms:
client_id: Application Client ID, required.
redirect_uri: The encoded redirection url to be called by the Identity Provider afterwards single logout, required.
token: access_token. This access_token it's provided by the Identity Provider when your application Sign In, required.
state: Random string that stores the status before the request, optional.
It's important to check that your redirect_uri it's included at Valid URLs after Single Logout (&GAMApplication.ClientSingleLogoutValidURLsAfterSLO) property in the Client Application within the Identity Provider's Backoffice.
If &GAMApplication.ClientSingleLogoutValidURLsAfterSLO is empty, all URLs will be valid.
See more about these properties in Identity Provider Configuration for GAM Remote Authentication.
The URL result will look like follows:
http://gamidentityprovider.com/<virtual_dir>/oauth/gam/signout?client_id=<client_id>&redirect_uri=<redirect_uri>&token=<access_token>&state=<random_alphanumeric>
You must validate that the value of the state is the same as the one sent to the IDP Server.
&redirect_uri = !"http://mydomain/myapplication/sampleobjectname.aspx" // URL after single logout
&state = GUID.NewGuid().ToString() // You must save this value.
&WebSession.Set(IdentityProviderParameters.State,&state)
&Token = &WebSession.Get(IdentityProviderParameters.RemoteToken) //Where you stored the provided access_token by the IDP.
&EncodedURL = EncodeUrl.Udp(&redirect_uri) // (1)
&url = format(!"https://gamidentityprovider.com/<virtual_dir>/oauth/gam/signout?client_id=%1&redirect_uri=%2&token=%3&state=%4",
&ClientId.Trim(), // %1
&EncodedURL.Trim(),// %2
&Token.Trim(), // %3
&state.Trim()) // %4
link(&url)
The execution of the URL (&url) checks in the GAM Identity Provider if there is a valid session. If so, the session is finished. Afterwards, the URL specified in the redirect_uri parameter is executed by a GET HTTP.
Notes:
(1) - The code associated to the EncodeUrl Procedure is the following:
&URLEncoded = urlencode(&UrlToEncode)
Make sure to change the Standard Functions property at Object level to: allow non-standard functions.
It is a service that will call the GAM Identity Provider when one of the applications that logged in SSO now launches a sign out.
You have to implement a service that handle and receive the following parameters: client_id, redirect_uri, token and state.
client_id: My Client ID Application.
redirect_uri: The encoded redirection URL to be called by the Identity Provider afterwards single logout.
token: My access_token to finish.
state: Server state.
repository: Repository GUID when using GAM Multitenant, optional.
key: String with encrypted parameters when your application uses "Private Encryption Key" (&GAMApplication.ClientEncryptionKey) property, optional.
In this service, you will delete your application's WebSession, and redirect to the Identity Provider.
The Endpoint is: https://gamidentityprovider.com/<virtual_dir>/oauth/gam/signout.
GET
Parms:
client_id: Application Client ID, required.
redirect_uri: The same URL value received for the service, required.
token: access_token. Return the same value received for the service, required.
state: Return the same value received for the service, required.
first_call=0, required.
You must specify your service URL at Custom Single Logout URLs (&GAMApplication.ClientSingleLogoutCustomURLsSLO) property in the Client Application within the Identity Provider's Backoffice.
If this property is empty, by default the SLO URL is the same as the callback URL, but the /oauth/gam/signout service is called.
See more about these properties in Identity Provider Configuration for GAM Remote Authentication.
/ Rules (Parameters)
Parm(in:&client_id, in:&redirect_uri, in:&token, in:&state, in:&key, in:&repository);
// Validate if the parameters are encrypted
if not &Key.IsEmpty()
&AppCliEncKey = GetRemoteKey() // your code here
&ResponseEnc = Decrypt64(&Key, &AppCliEncKey)
&aParametersEnc = &ResponseEnc.SplitRegEx(!"&")
If &aParametersEnc.Count = 3
&i = 1
Do while &i <= &aParametersEnc.Count
&Text = &aParametersEnc.item(&i) // simple parsing
&VarReg = &Text.SplitRegEx(!"=")
If &VarReg.Count > 1
Do Case
Case &VarReg.item(1).Trim() = "redirect_uri"
&OriginalLogoutURL = &VarReg.item(2).Trim()
Case &VarReg.item(1).Trim() = "token"
&TokenToFinish = &VarReg.item(2).Trim()
Case &VarReg.item(1).Trim() = "state"
&GAMTokenState = &VarReg.item(2).Trim()
EndCase
Endif
&i = &i + 1
EndDo
endif
Endif
If not &State.IsEmpty()
If not &Token.isEmpty()
&WebSession.Destroy()
Endif
Endif
// IDP server redirection
&GAMIDPURL = !"https://gamidentityprovider.com/<virtual_dir>/oauth/gam/signout"
If not &Key.IsEmpty()
&GAMIPEncryptionKey = !"1234" //You must use the encryption key stored in the IDP server for your application.
&Parameters = Format(!"redirect_uri=%1&token=%2&state=%3&first_call=0",
&redirect_uri.Trim(),// %1
&token.Trim(), // %2
&state.Trim()) // %3
&Key = Encrypt64(&Parameters, &GAMIPEncryptionKey)
&url = format(!"%1?client_id=%2&Key=%3",
&GAMIDPURL.Trim(), // %1
&client_id.Trim(), // %2
&Key.Trim()) // %3
Else
&url = format(!"%1?client_id=%2&redirect_uri=%3&token=%4&state=%5&first_call=0",
&GAMIDPURL.Trim(), // %1
&client_id.Trim(), // %2
&redirect_uri.Trim(),// %3
&token.Trim(), // %4
&state.Trim()) // %5
Endif
If not &repository.IsEmpty()
&url += "&repository="+&repository
Endif
link(&url)
Notes:
- The response is parsed to get parameters.
- The local session is destroyed (your code here).
- The Identity Provider (/oauth/gam/signout) is called using the parameters provided and your credentials.
If the client application is generated with C#, you need to add the following lines to the web.config file under the rules section:
<!--GXIGNORE_START-->
<rule name="GXGamCallback" stopProcessing="true">
<match url="^oauth/gam/signout$" />
<action type="Rewrite" url="alogoutresponse.aspx" />
</rule>
<!--GXIGNORE_END-->
where "logoutresponse" references the GeneXus procedure in charge of the processing.
If the client application is generated with Java, you need to add the following lines to the web.xml file in the WEB-INF directory of the client web app:
<servlet>
<servlet-name>GAMOAuthCallback</servlet-name>
<servlet-class>alogoutresponse</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>GAMOAuthCallback</servlet-name>
<url-pattern>/oauth/gam/signout</url-pattern>
</servlet-mapping>
This behavior is available since GeneXus 15.
Single Sign On in applications using GAM
GAM - GAMRemote Authentication Type