Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
Consent and preference management
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Externalized authorization
Identity broker
Mobile identity
Mobile SDK
API references
Release notes and FAQ
Integrations

All

All

iFrame session monitoring

End session API

IDAAS core
Tenants and brands
Identity store and data model
SCIM API
- SCIM schemas
- SCIM user management
- SCIM user attributes
- SCIM API versions
Credential store
- Email address management
- Password management
- Password migration
Tokens
- Access tokens
- ID tokens
- Refresh tokens
- Access token API
- Token introspection API
Authentication
- Client authentication methods
- Step-up authentication
- Custom authenticators
- Authentication FAQ
Custom registration
- Custom registration examples
- QR registration example
- Stateless custom registration
- Custom registration API v1
- Custom registration v2
- Back-channel communication API
OAuth 2.0 and OpenID Connect
- OAuth 2.0 and OpenID Connect API
- Proof Key for Code Exchange
- Dynamic client registration API
- OAuth client authentication methods
- Device flow
- OAuth OIDC error handling
- OAuth 2.0 and OpenID Connect setup
- OpenID Connect
- OpenID Connect authentication
- OpenID Connect scopes and claims
- User claims and attributes
- OpenID provider configuration
- ID token encryption
- iFrame session monitoring
  - Relying party iFrame
  - End session API
  - Session management APIs
- Relying party examples
- OAuth endpoints
- Discovery API
- JSON Web Key Set API
- User information API
- OAuth configuration
- OAuth consent API
Web clients
- Web clients API
- Migration of web clients with hashed secrets
- Resource owner password credentials
Web hooks
- Web hooks configuration API
API rules
Notification API
Event store
- Audit events
- Audit log
- Events API
- Excluded events
- Security events
Securing resources
User session API
User management
Uniquely identify guests
Email overview

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
IDAAS core
OAuth 2.0 and OpenID Connect
iFrame session monitoring
End session API

End session API

This guide covers configuration and expected flows for the End Session API.

Configuration

Delete tokens on logout

When enabled, this deletes any access tokens and refresh tokens for a session when the end-session endpoint is called. Use this setting when you use the PKCE client authentication method.

If a client enables SAML SLO and does not use refresh tokens, the tokens are removed regardless of this setting.

Post-logout redirect URIs

After hitting the end-session endpoint, you likely want your relying party (RP) to be redirected back to one of your own pages. You can configure one primary or default URI and many additional URIs that you allow the OP to redirect the RP to. When making a request to the endpoint, you can specify a post_logout_redirecturi as part of your request, but it must match one of the configured URLs in the OpenID Client configuration. If no URI is specified in the request, it falls back to the default or doesn't redirect at all if nothing is configured.

Front-channel logout support

The OneWelcome Identity Platform OP implementation also supports OpenID Connect Front-Channel Logout 1.0. You can configure a front-channel logout URI on the admin console. This URI is included in the end session HTML as an iFrame that executes a GET request toward a particular URI. This is most commonly used to help with single logout (SLO) in the relying party's apps.

Flow diagram

The flow diagram shows the RP logout and front channel with three RPs.

RP logout + Front Channel (3 Relying Parties)

The following steps occur only after the session has already been established at the RP and OP:

The user wants to log out and clicks a logout link for an RP.
The user agent triggers the end-session URL on the OP.

It should be triggered with at least an id_token_hint and optionally a post_logout_redirect_uri. It should be included if the user agent wants to redirect to a specific URI after a successful logout.
The OP invalidates its own session, which links to all three RPs in it.
The OP generates a logout page that contains an iFrame for each RP that was in that particular session and returns it to the user agent.
The user agent renders the logout page, which triggers requests to the RPs to invalidate the sessions. The RPs should have reachable URIs that trigger an end in the session on the RP.
Each RP receives the request independently, destroys its own session, and cleans up cookies or storage.
The user agent displays a successfully logged out page or is redirected to another page based on the post_logout_redirect_uri that was specified in step 1.

To see an example of the HTML, see the End session API.

On this page

OneWelcome Identity Platform

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com