cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

SAS Viya 2023.07 OIDC Logout

Started ‎09-28-2023 by
Modified ‎04-13-2024 by
Views 357

The SAS Viya 2023.07 release introduces a minor change to the processing of OpenID Connect (OIDC) logout operations. Logging out from the OIDC Provider when logging out from SAS Viya or any Relying Party is not part of the Core specification of OpenID Connect. However, it is defined in a complimentary specification OpenID Connect RP-Initiated Logout 1.0 which is implemented by some OIDC Providers. For example, Azure Active Directory does implement this additional specification. With the SAS Viya Stable release 2023.07, SAS Viya has also introduced support for this feature. In this article we will examine how this is implemented with SAS Logon Manager.

 

SAS Logon Manager Implementation

 

With the SAS Viya Stable release 2023.07 an additional property has been added to the sas.logon.oauth.providers configuration. The additional property logoutUrl specifies the URL to which SAS Viya should perform a redirect to request that the End-User be logged out at the provider. SAS Logon Manager will use the value in the logoutUrl property if it is defined. In SAS Environment Manager the new logoutUrl property of the sas.logon.oauth.providers configuration looks like the following:

 

Edited_01_SR_EV_OIDC_LogoutUrl.png

Select any image to see a larger version.
Mobile users: If you do not see this image, scroll to the bottom of the page and select the "Full" version of this post.

 

However, if SAS Logon Manager has been provided with the discoveryUrl property it is also able to automatically find the logoutUrl value from the OIDC configuration obtained from the OIDC Provider. As per the specification SAS Logon Manager looks for the end_session_endpoint attribute in the ODIC Provider Discovery Metadata. If this exists, then you do not need to set a value for the logoutUrl property of sas.logon.oauth.providers. Remember the discoveryUrl property is not required for the OIDC configuration of SAS Logon Manager but can be used to simplify the configuration by enabling SAS Logon Manager to look up attributes from the OIDC Provider.

 

For example, if you are using Azure Active Directory as your ODIC Provider, we can view a sample ODIC Provider Discovery Metadata at: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration. This presents the following sample metadata about the OIDC Provider:

 

{
"token_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
"token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
],
"jwks_uri": "https://login.microsoftonline.com/common/discovery/v2.0/keys",
...
...
"end_session_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/logout",
...
...
}

 

We have abbreviated the output to highlight the inclusion of the end_session_endpoint attribute. Therefore, when configuring Azure Active Directory as the OIDC Provider if you define the discoveryUrl property of sas.logon.oauth.providers to point to your Azure Active Directory tenant specific URL: https://login.microsoftonline.com/{tenantid}/v2.0/.well-known/openid-configuration; then you will benefit from the new logout behaviour leveraging your Azure Active Directory tenant specific end_session_endpoint: https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout. SAS Logon Manager will redirect to Azure Active Directory for logout, and user will be prompted to logout of Azure Active Directory as shown here:

 

02_SR_AzureLogout.png

 

More details on how Azure Active Directory implements the logout functionality can be found here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#single-sign-out.

 

Equally, if you are using OKTA as your OIDC Provider for SAS Logon Manager and use the discoveryUrl setting you can automatically use the new logout behaviour. OKTA also provides an end_session_endpoint attribute as part of the OIDC Provider Discovery Metadata, as documented here: https://developer.okta.com/docs/reference/api/oidc/#well-known-openid-configuration. The process used when redirecting the user’s browser to the end_session_endpoint for OKTA is documented here: https://developer.okta.com/docs/reference/api/oidc/#logout.

 

However, not all OIDC Providers will implement the complimentary specification OpenID Connect RP-Initiated Logout 1.0. For example, PingFederate Server does not implement the end_session_endpoint as part of the ODIC Provider Discovery Metadata. Reviewing the documentation for PingFederate shows that instead it implements its own form of single logout.

 

Preventing Logout from OIDC Provider

 

If your chosen OIDC Provider does implement the complimentary specification OpenID Connect RP-Initiated Logout 1.0 but you do not want to have SAS Logon Manager trigger a logout from the OIDC Provider you can prevent this. In this case you would ensure both the logoutUrl and discoveryUrl are not set or left blank for the sas.logon.oauth.providers configuration. You then need to ensure that you correctly set the properties issuer, tokenKey, or tokenKeyUrl for the sas.logon.oauth.providers configuration, since these properties can no-longer be obtained from the ODIC Provider Discovery Metadata. Then because SAS Logon Manager is not provided with the logoutUrl and is unable to lookup up the end_session_endpoint the logout from the OIDC Provider will not occur. When user’s logout from SAS Viya their sessions will be maintained with the OIDC Provider, and they can seamlessly log back into SAS Viya without any prompting from the OIDC Provider.

 

Comparison with Previous Releases

 

In previous releases of SAS Viya, it was still possible to trigger logout from the OIDC Provider when logging out from SAS Viya. But this relied upon the custom sign-out and custom time-out content. Customizing the sign-out and session time-out content is covered in the SAS Viya Platform Administration Guide. A custom page could be loaded containing the required JavaScript to trigger the logout from the OIDC Provider. Or the end-session endpoint on the ODIC Provider could be loaded itself within the iframe if content security settings for both SAS Logon Manager and the ODIC Provider allow this content to be displayed in an iframe. For example, with Azure Active Directory as the OIDC Provider we can configure the custom sign-out to directly call Azure Active Directory. This results in an Azure Active Directory page being displayed in the iframe as shown here:

 

03_SR_LogoutCustomAAD.png

 

Conclusion

 

As we have illustrated above the new logout behaviour for SAS Logon Manager with a supporting OIDC Provider is much easier to implement than in previous releases. In many cases with a supporting ODIC Provider, it will be automatically configured for you without any additional steps. Equally, if you do not wish to implement the logout from the OIDC Provider when logging out from SAS Viya this is easy to achieve as well.

 

If you want to explore this topic in more detail, you can refer to Course: Advanced Topics in Authentication on SAS Viya.

 

 

Find more articles from SAS Global Enablement and Learning here.

0 Likes
Version history
Last update:
‎04-13-2024 02:00 AM
Updated by:
SAS Employee
Contributors

sas-innovate-2024.png

Available on demand!

Missed SAS Innovate Las Vegas? Watch all the action for free! View the keynotes, general sessions and 22 breakouts on demand.

 

Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Labels
Article Tags