Hi, pac4j aims to handle authentication and logout as well. But the "logout" concept relates to many things.
In pac4 implementations (like j2e-pac4j), we have a logout filter whose role is double: 1) performs (or not) a local logout: removing the pac4j user profiles from the session and even destroying the web session (it depends on the configuration) 2) redirects/calls to the identity provider for a global logout (this application and all applications the user has been logged in during his web SSO session) Behind the scene, the DefaultLogoutLogic is called which uses the LogoutActionBuilder of the client to know how to call the identity provider for logout. See: https://github.com/pac4j/j2e-pac4j#6-logout-logoutfilter Though, there is more: the identity provider may have been called by another application also requesting a global logout, so it may call the application to request a local logout. This can be done in two ways: - from server to server, it's a back-channel logout call - from browser to server, it's a front-channel logout (we have the session cookie for the application and thus can easily find the user session). The logout call must be received on the callback endpoint, which handles both: callback calls for authentication as well as logout calls. This last part only works for CAS currently. For SAML, it's more or less in progress. Just let me know if you need more explanations. Thanks. Best regards, Jérôme On Sun, Feb 25, 2018 at 5:12 PM, Sandeep Moré <[email protected]> wrote: > Hello All, > > I am kickstarting a discussion about KnoxSSO logout flow, I created a KIP > page for it > https://cwiki.apache.org/confluence/display/KNOX/KIP- > 10+KnoxSSO+Logout+Flow > > In the coming week I am planning on adding more sections for CAS, OpenID > connect etc. as I research them more. In the mean time, if you could take a > look at it and provide feedback/comments/suggestions that would be > extremely helpful. Also, please feel free to let me know of any use case > you might think is useful and should be added. > > Best, > Sandeep >
