Versions Compared

Old Version 5

changes.mady.by.user Henri Mikkonen

Saved on

compared with

New Version Current

changes.mady.by.user Henri Mikkonen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

TODO: under construction

File(s): conf/relying-party.xml, conf/oidc.properties
Format: Native Spring, Spring Properties

Table of Contents
stylenone

Overview

Since OP version 4.1, the OIDC.Logout profile configuration beans bean enables support for the OIDC logout specifications that cover the two halves:

...

Similarly to the SAML logout, the propagation step works in the same way regardless of how the logout is initiated (see LogoutConfiguration ).

Configuration

Profile configurations

In addition to the OIDC.Logout bean, make sure to enable OAUTH2.Revocation bean to enable token revocation during the logout process (see documentation for the revokeTokens -property below).

Required IdP properties

Similarly to the SAML logout, the following global configuration properties need to be set to true:

...

Expand
titleProfile-Specific

Options specific to the OIDC Logout flow:

Name

Type

Description

encryptionOptional

Boolean

Whether to automatically disable back-channel logout token encryption if the relying party does not possess a suitable key (defaults to true).

preferFrontChannel

Boolean

Whether to prefer front-channel logout propagation if both front and back -channel URIs are defined in the RP metadata (defaults to true).

frontChannelSuccess

Boolean

Whether to consider front-channel logout propagation success in the propagation UI (defaults to false).

revokeTokens

Boolean

Whether to revoke the access and refresh tokens related to the session (defaults to true). Note that the OAUTH2.Revocation profile must be enabled for the RP.

requireIdTokenHint

Boolean

Whether to require the use of id_token_hint parameter in the RP-initiated logout request.

logoutHintMatchingStrategy

BiPredicate<

String,

SPSession

>

A bi-predicate for matching the logout_hint parameter with an SPSession (defaults to always return false).

The following properties can be used to globally control settings above:

  • TODO property 1

    • TODO property 2

    • idp.oidc.logout.encryptionOptional

    • idp.oidc.logout.preferFrontChannel

    • idp.oidc.logout.frontChannelSuccess

    • idp.oidc.logout.revokeTokens

    • idp.oidc.logout.requireIdTokenHint

    • idp.oidc.logout.logoutHintMatchingStrategy

    The global bean shibboleth.oidc.logout.LogoutTokenTypeLookupStrategy (Function<MessageContext, String>) can be defined for replacing the default logic for naming back-channel logout tokens. By default their type is always logout+jwt as recommended by the specification.