How to logout from CMS when logged in via Single sign on

Good day,

We are working on a single sign on functionality so it is possible to log into Bloomreach. We got the login part working, so If a user is logged into Azure active directory they will be logged into the CMS as well. However we are not able to log the user out. When the logged in user clicks on ‘log out’ in the CMS they are automatically logged in again.

To fix this we have tried to create our own custom cmslogoutservice that extends the bloomreach CmsLogoutService. Here we override the redirectPage() method. When I debug this code is carried out but still we get redirected to the CMS and the user is logged in again. Do you have any advice on how to tackle this issue?

Hello @Mijnisha you are on the right track here, the problem is that the CMS navigation gets in the way of the redirection to the logout. So in your CmsLogoutService do something like this:

@Override
  protected void redirectPage() {
    //Azure requires a redirect to /logout to correctly sign user out of SSO
    throw new RedirectToUrlException("/logout");
  }

And then add a logout handler to your security config (I assume you’re using Spring here), which uses a JSP that “breaks out” of the CMS iframing:

  //logout handler to forward user to Azure's logout page
  http.logout().logoutSuccessHandler(new LogoutSuccessHandler() {
	@Override
	public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
		throws IOException, ServletException {
		//the JSP uses Javascript to break out of the iframing done by the navapp
		String url = "https://login.microsoftonline.com/" + System.getenv("SSO_TENANT_ID") + "/oauth2/v2.0/logout";
		request.setAttribute("logoutUrl", url.toString());
		request.getRequestDispatcher("/WEB-INF/logout-redirect.jsp").forward(request, response);
		response.flushBuffer();
	}
  });

And here is the logout-redirect.jsp:

<%@ page import="java.util.*" %>
<script type="application/javascript">
    function redirect() {
        let url = '<%= request.getAttribute("logoutUrl") %>';
        if (window.location !== window.parent.location) {
            window.parent.location.assign(url);
        } else {
            window.location.assign(url);
        }
        return false;
    }

    redirect();
</script>

It’s a bit hacky but it works - if you find a better solution, would love to hear about it!

Thanks

In addition, I also posted similar solution in the support ticker, which is using plain java filter (in case you are not using spring security)

We are using spring security. I added the .logoutSuccessHandler and jsp file. At the moment still being logged in again. Is there something I am missing.

Have you tried debugging the code? Does it actually go into the logout handler?

Hello everyone,
We got it working now. The redirect.jsp was in the site web-inf instead of cms web-inf. Thank you all for the quick and complete support.

Hello Everyone,

After getting this working we deployed to our test environment wich runs in the Bloomreach Cloud. The application server in the bloomreach cloud uses http and the azure active directory expects a https redirect uri. We tackled this issue by adding the https redirect uri hardcoded to the system properties.

The problem that we are facing now is that when you access the test environment you get the sso login.After authentication you see the bloomreach login page again. There is no error or exception. What could be the reason that we are able to login locally but not on the test environment?