Login
      Contents x
      Single Sign Out
      • 04 Apr 2024
      • 2 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      Single Sign Out

      • Updated on 04 Apr 2024
      • 2 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Article summary

      Visma Connect IdP supports both Back-Channel Logout and Front-Channel Logout. Implementation of Back-channel logout is recommended.

      Back-Channel Logout

      To use Back-Channel logout, an application must expose a public Back-Channel Logout URI where the application expects to receive the requests with the Logout Token. When an application receives this request, it is compelled to clear the local session state matching the claims in the token.

      Request to Back-Channel Logout URI

      Value

      HTTP Method

      POST

      Content-Type

      x-www-form-urlencoded

      Form content (key-value pairs)

      logout_token: <jwt_token>

      OAuth Logout Token Attributes:

      Attribute

      Description

      aud

      (audience) The ClientID to which the Logout Token is intended for.

      iat

      (issued at time) Time at which the token was issued.

      iss

      (issuer) Contains a unique identifier for the Identity Provider that issued the JWT.

      sub

      (subject) Identifying the unique user identity that is the subject of the JWT.

      events

      (events) JSON object containing the member name “http://schemas.openid.net/event/backchannel-logout”. The value of the member should be an empty JSON object. This is to declare that this JWT is a Logout Token.

      sid

      (session id). Identifier for a session of the User.

      jti

      (JWT ID). Unique identifier for the token. This is used to prevent Logout Token replays.

      nbf

      (not before) Identifies the time before which the token MUST NOT be accepted for processing.

      exp

      (expiration time) claim that limits the time window during which the JWT can be used. The App must reject any JWT with an expiration time that has passed subject to allowable clock skew between systems. Set to expire 300 seconds after issued at time.

      Example of JWT Logout Token:

      {
  "iss": "https://connect.visma.com",
  "nbf": 1683185167,
  "iat": 1683185167,
  "exp": 1683185467,
  "aud": "your_apps_client_id",
  "jti": "E431A3A2A9375CEA81BC576283BBE070",
  "events": {
    "http://schemas.openid.net/event/backchannel-logout": {}
  },
  "sub": "a219705d-f587-4fe9-a424-bb5d35039704",
  "sid": "1739dfff-8a9e-c3c5-de28-fd84a56292fc"
}
      DevPortal_BackChannelLogout

      Front-Channel Logout

      IdP initiated Single Sign Out

      • Each Web or Single-Page Application must expose a public HTTP endpoint (must be SSL); e.g. "https://yourwebapp.com/singlesignout". This endpoint must be registered as  Frontchannel Logout URI in the application's Details tab.

      • The endpoint MUST remove all cookies (kill session) on your Web Application and it MUST be allowed to be called from within an iframe (so you must set proper CSP directive and/or X-Frame-Options HTTP header).

      • Return one of the following status codes:

        • 204 No Content - for successful logouts

        • 4xx - for bad/malformed request data or authentication/authorization related errors

        • 5xx - For server errors

      • Return the following response headers:

        • Content-Type (NOT applicable for 204 No Content responses)

        • Content-security-policy=frame-ancestors <connect_iframe_ancestor_url> (if applicable - see URL list below)

        • X-Frame-Options=allow-from <connect_iframe_ancestor_url> (if applicable - see URL list below)

      • Make sure that you DO NOT explicitly specify the header  X-Content-Type-Options=nosniff if you don't return any data besides the status code. This combination (no data + that header) will trigger a download file in iOS (most probably a bug on how the OS handles MIME types).

      Application initiated Single Sign Out

      1. Call your own application's Logout URI endpoint

      2. Then call the /connect/endsession endpoint in Visma Connect with 3 querystring parameters:

        1. id_token_hint = The JWT ID token obtained when user the logged in.

        2. post_logout_redirect_uri = A valid PostLogoutRedirectURI registered for your application in Visma Connect which the user will be redirected to by Visma Connect after logout has been completed for all web applications part of the Visma Connect session.

        3. state = (optional) unique string the client can generate and send in, this will be returned to the client when redirecting the user to post logout redirect URI. Clients can validate this string.

      3. Visma Connect will sign out user from IdP and all other web applications part of its session

      4. Visma Connect will redirect user to your post_logout_redirect_uri

      Visma Connect iframe Ancestor URL: https://connect.visma.com

      Example request:

      GET https://connect.visma.com/connect/endsession?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IjZCN0FDQzUy...mzWcJD6TGtQ&post_logout_redirect_uri=https://yourwebapp.com&state=abc123

      DevPortal_FrontChannelLogout

      Was this article helpful?
      What's Next

      © 2024 Visma

      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout