Single logout will log the user out of all applications the user has logged in to throughout a session. For this to happen, logout needs to be called with the parameter singlelogout=true, and all applications needs to have implemented a special single-logout endpoint, used by login.bib.dk to log out the user from each application.
To initiate single-logout initiate a redirect to login.bib.dk/logout?singlelogout=true&access_token={ACCESS_TOKEN}&redirect_uri={REDIRECT_URI}
Parameters:
- singlelogout: (true|false) initiate single-logout or not
- access_token: (optional). If access_token is set a link back to the initiating client applikation is added
- redirect_uri: (optional) If provided, the user is redirected back to the redirect_uri after successful login.
- Requires access_token to be set
- Requires the redirect_uri to be preconfigured.
In order for an application to support single logout through login.bib.dk, an endpoint in the individual applications that meets the following criteria is required:
-
The endpoint should clear the current session for the user.
-
This endpoint must approve iframing in the access platform, by setting the header
X-Frame-Options: allow-from https://login.bib.dk/. See documentation for X-Frame-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -
Endpoint must return a response in JSON containing a status code in body:
{ "statusCode": 200 } -
Path to endpoint should be preconfigured on the client in login.bib.dk. The endpoint is configured as a relative path on the client. Login.bib.dk will add the host from the redirect_uri used at login. This way single-logout can be tested during development and staging:
{ "singleLogoutPath": "/api/singlelogout" }
A client can functions as a proxy .e.g when logging in to the HA-proxy through the CAS protocol CAS login. Then the client should be disregarded as clients a user is logged in through.
This can be achieved be setting proxy: true on the client configuration