LogoutJASSAMLOIDC < Deployment

<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%">
---+!! Configure Single Sign-On and Single Sign-Out for ELM configured with a SAML or OIDC Provider 
%DKGRAY% Authors: Main.ShubjitNaik <br>
Build basis: Engineering Lifecycle Management and Jazz Authorization Server 7.0.2 and Higher
%ENDCOLOR%</div></sticky>

<!-- Page contents top of page on right hand side in box -->
<sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;">
%TOC{title="Page contents"}%
</div></sticky>

<sticky><div style="margin:15px;"></sticky>

Jazz Authorization Server (JAS) is a Liberty !OpenID Connect Provider and it can be configured to further delegate authentication to a [[JASandSAML][SAML Identity Provider]] or a [[JASandOIDCProvider][Third Party OIDC Provider]]. The expectation is for Single Sign-On and Sign-Out to work between ELM and non-ELM applications that are both configured to use the same Provider. 

The focus on this Article is on Single Sign-On and Logout. It is assumed that you have configured JAS with either a SAML !IdP or a Third Party OIDC Provider. 

---++ JAS configured with a SAML !IdP

---+++ Configuring Single Sign-On

The default configuration of JAS configured with SAML !IdP indicates the !IdP to force the user to re-authenticate. We would need to change this configuration for SSO to work between ELM and Non-ELM applications.

Steps to update the configuration:
   * Edit =appConfig.xml= file located at =[JAS_HOME]\wlp\usr\server\jazzop\appConfig.xml=
   * Search for =samlWebSso20= section and update the parameter _forceAuthn_ to =forceAuthn="false"= and add parameter _spLogout="true"_
   <verbatim>
   <samlWebSso20 
		id="defaultSP"
		spCookieName="jazzop_sso_cookie_idp"
		forceAuthn="false" 
		authFilterRef="samlAuthFilter"
		spLogout="true" >
   </samlWebSso20></verbatim>
   * Test Single Sign-On between ELM and Non-ELM applications

---+++ Configuring Single Sign-Out

You would need to perform the following additional configuration changes in JAS.

   * First confirm if the SAML =idpMetadata.xml= file contains =HTTP-POST= binding for =SingleLogoutService=. IBM Liberty only supports SAML SSO with =HTTP-POST= Bindings and not =HTTP-Redirect= Binding.
      * [[https://www.ibm.com/docs/en/was-liberty/nd?topic=authentication-saml-20-web-browser-single-sign][IBM WebSphere Liberty SAML Documentation]]
      * An example entry looks like this
      <verbatim><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mysaml.example.com/mysaml/slo" /> </verbatim>

   * Next Upgrade the Liberty profile for JAS to 23.0.0.6 or higher
      * Download Liberty version 23.0.0.6 https://www.ibm.com/support/pages/fix-list-ibm-websphere-application-server-liberty
      * Upgrade Jazz Authorization Server - https://www.ibm.com/support/pages/node/6445491

   * Edit =appConfig.xml= file located at =[JAS_HOME]\wlp\usr\server\jazzop\appConfig.xml=
   * Search for =samlWebSso20= section and change the =spCookieName= parameter value from =jazzop_sso_cookie_idp= to example =liberty_saml_idp_sso_cookie= or to any name of your choice.
   <verbatim>
   <samlWebSso20 
		id="defaultSP"
		spCookieName="liberty_saml_idp_sso_cookie"
		forceAuthn="false" 
		authFilterRef="samlAuthFilter"
		spLogout="true" >
   </samlWebSso20></verbatim>
   * Add =/end_session= to the Authentication Filter =requestUrl=
 <verbatim>
   <authFilter id="samlAuthFilter">
        <requestUrl id="samlRequestUrl" urlPattern="/authorize|/end_session" matchType="contains" />
        <userAgent id="samlUserAgent" agent="Mozilla|Opera" matchType="contains"/>
   </authFilter></verbatim>

---+++ Configuring Single Sign-Out when SAML !IdP does not support HTTP-POST

=This workaround would work if you can directly access the SAML !IdP Logout URL=
There are instances where SAML !IdP does not support HTTP-POST for =SingleLogoutService= and/or the above instructions does not work. You could follow the workaround mentioned below, which are additional configuration in ELM.

   * Request your Administrator to share the SAML !IdP Logout URL that can be accessed directly
      * Sample logout URL for example Microsoft ADFS  =https://adfs.example.org/adfs/ls/?wa=wsignout1.0=
   * In each ELM application =jts, ccm, qm, rm, gc and dcc= perform the following:
      * Access Advanced Properties =https://[ELM_URL]/[app]/admin#action=com.ibm.team.repository.admin.configureAdvanced=
      * Search for the property =Web Logout URI= and update the value with the Logout URL received
      * Search for the property =Trusted URIs for client authorization and redirection= and update the value with the Logout URL received
   * Test Logout from ELM Applications


---++ JAS configured with a Third Party OIDC Provider

---+++ Configuring Single Sign-On

When ELM is configured with a Third Party OIDC Provider , no changes are needed.

---+++ Configuring Single Sign-Out

With the default configurations the Logout operations from ELM does not complete. You would need to perform the following additional configuration in ELM.
=This workaround would work if you can directly access the OIDC Logout URL=

   * Request your Administrator to share the OIDC Logout URL
      * Sample logout URL from a customer  =https://preprod.example.com/ui/oidcclient/logout=
   * In each ELM application =jts, ccm, qm, rm, gc and dcc= perform the following:
      * Access Advanced Properties =https://[ELM_URL]/[app]/admin#action=com.ibm.team.repository.admin.configureAdvanced=
      * Search for the property =Web Logout URI= and update the value to the Logout URL received
      * Search for the property =Trusted URIs for client authorization and redirection= and update the value with the Logout URL received
   * Test Logout from ELM Applications

---++ Testing

After applying the Single Sign-On and Sign Out configurations mentioned in the previous steps, following are the results

   * Single Sign-On is achieved between ELM and Non-ELM applications
   * Logout from an ELM Application will logout via the !IdP logout URL and all other ELM Applications are logged out

   * Logout from a Non-ELM application - ELM applications are NOT logged out immediately
      * Post the SSO timeout which is set to 2 hours by default (can be changed), the applications are redirected to the !IdP and existing sessions are logged out
<br>


---+++++!! Related topics: [[JazzAuthorizationServer][Jazz Authorization Server Landing Page]], [[JASandOIDCProvider][Configure ELM with a Third Party OIDC provider]]

---+++++!! External links:          

   * [[https://www.ibm.com][IBM]]

<sticky></div></sticky>
This topic: Deployment > WebHome > DeploymentInstallingUpgradingAndMigrating > JazzAuthorizationServer > LogoutJASSAMLOIDC
History: r19 - 2023-09-08 - 12:00:49 - ShubjitNaik
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.