SAML20 module: how to set the sign out button behavior?

4
We are using the SAML20 module and our application has a default sign out button. Clicking the button leads to https://mourikapp-accp.mendixcloud.com/login.html. Furthermore, after signing off in this way, if the user then exits the app and starts it again, he is logged in automatically. Desired behavior: I'd like the user to be directed to the ADFS login page again after he logged in via SAML (ADFS) and then clicked the Sign out button. I did set the constant SAML20.DefaultLogoutPage to /SSO/ but that does not seem to have an effect. Any help would be greatly appreciated.
asked
3 answers
3

Redirecting to <app url>/SSO/logout does the trick.

I have created an extra logout button that performs the redirect via the URLRedirector widget. Both logout buttons have conditional visibility, based on a boolean on an object that is created during login.

answered
1

Hi Axel,

   The major hurdle here is that the Mendix app does not have a way to invalidate the current session for your ADFS. The default sign out button ends the Mendix session, but doesn't do anything to the ADFS SAML token that a user gets when the successfully log into your SSO.  Therefore, when a user goes to the Mendix app again, they are re-routed to the SSO authentication which validates that a token is there and they are automatically logged in.  In order to really log a user out, you will need to send a 'signout request' to your ADFS.  This is typically a URL that you can link to from a Mendix Microflow or button that will kill the session. 

  Looking at the ADFS forum a bit, it appears that you can specify a redirect URL for your log out request, in which case you can send the user to the <yourMEndixApp>/SSO/ link.

answered
1

Could you share details on how you differed those buttons?

answered