- 04 Apr 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Single Sign Out
- Updated on 04 Apr 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Visma Connect IdP supports both Back-Channel Logout and Front-Channel Logout. Implementation of Back-channel logout is recommended.
Back-Channel Logout
To use Back-Channel logout, an application must expose a public Back-Channel Logout URI where the application expects to receive the requests with the Logout Token. When an application receives this request, it is compelled to clear the local session state matching the claims in the token.
Request to Back-Channel Logout URI | Value |
---|---|
HTTP Method | POST |
Content-Type | x-www-form-urlencoded |
Form content (key-value pairs) | logout_token: <jwt_token> |
OAuth Logout Token Attributes:
Attribute | Description |
---|---|
aud | (audience) The ClientID to which the Logout Token is intended for. |
iat | (issued at time) Time at which the token was issued. |
iss | (issuer) Contains a unique identifier for the Identity Provider that issued the JWT. |
sub | (subject) Identifying the unique user identity that is the subject of the JWT. |
events | (events) JSON object containing the member name “http://schemas.openid.net/event/backchannel-logout”. The value of the member should be an empty JSON object. This is to declare that this JWT is a Logout Token. |
sid | (session id). Identifier for a session of the User. |
jti | (JWT ID). Unique identifier for the token. This is used to prevent Logout Token replays. |
nbf | (not before) Identifies the time before which the token MUST NOT be accepted for processing. |
exp | (expiration time) claim that limits the time window during which the JWT can be used. The App must reject any JWT with an expiration time that has passed subject to allowable clock skew between systems. Set to expire 300 seconds after issued at time. |
Example of JWT Logout Token:
{
"iss": "https://connect.visma.com",
"nbf": 1683185167,
"iat": 1683185167,
"exp": 1683185467,
"aud": "your_apps_client_id",
"jti": "E431A3A2A9375CEA81BC576283BBE070",
"events": {
"http://schemas.openid.net/event/backchannel-logout": {}
},
"sub": "a219705d-f587-4fe9-a424-bb5d35039704",
"sid": "1739dfff-8a9e-c3c5-de28-fd84a56292fc"
}
Front-Channel Logout
IdP initiated Single Sign Out
Each Web or Single-Page Application must expose a public HTTP endpoint (must be SSL); e.g. "https://yourwebapp.com/singlesignout". This endpoint must be registered as Frontchannel Logout URI in the application's Details tab.
The endpoint MUST remove all cookies (kill session) on your Web Application and it MUST be allowed to be called from within an iframe (so you must set proper CSP directive and/or X-Frame-Options HTTP header).
Return one of the following status codes:
204 No Content - for successful logouts
4xx - for bad/malformed request data or authentication/authorization related errors
5xx - For server errors
Return the following response headers:
Content-Type (NOT applicable for 204 No Content responses)
Content-security-policy=frame-ancestors <connect_iframe_ancestor_url> (if applicable - see URL list below)
X-Frame-Options=allow-from <connect_iframe_ancestor_url> (if applicable - see URL list below)
Make sure that you DO NOT explicitly specify the header X-Content-Type-Options=nosniff if you don't return any data besides the status code. This combination (no data + that header) will trigger a download file in iOS (most probably a bug on how the OS handles MIME types).
Application initiated Single Sign Out
Call your own application's Logout URI endpoint
Then call the /connect/endsession endpoint in Visma Connect with 3 querystring parameters:
id_token_hint = The JWT ID token obtained when user the logged in.
post_logout_redirect_uri = A valid PostLogoutRedirectURI registered for your application in Visma Connect which the user will be redirected to by Visma Connect after logout has been completed for all web applications part of the Visma Connect session.
state = (optional) unique string the client can generate and send in, this will be returned to the client when redirecting the user to post logout redirect URI. Clients can validate this string.
Visma Connect will sign out user from IdP and all other web applications part of its session
Visma Connect will redirect user to your post_logout_redirect_uri
Visma Connect iframe Ancestor URL: https://connect.visma.com
Example request:
GET https://connect.visma.com/connect/endsession?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IjZCN0FDQzUy...mzWcJD6TGtQ&post_logout_redirect_uri=https://yourwebapp.com&state=abc123