Status
Current-Status: In-Progress
Discussion:
JIRA:
Motivation
With the Single Sign On (SSO) ability supported with different Identity Providers (IdP), Knox needs to have an ability to support "logging out" of applications and Identity providers.
The main purpose of this KIP is to document the design flow to for KnoxSSO logout feature (henceforth called KnoxSSOUT).
Logout flow might change depending on the method used for SSO i.e.
- SAML
- CAS
- OAuth
- OpenID Connect
Design
The above mentioned methods are transparent to KnoxSSO users so it is imperative that the logout should behave in a similar fashion. As a result, there should be one logout url that would logout the current user based on the type of SSO used. We propose the following url
https://{gateway-host}:{gateway-port}/{cluster-name}/{knox-sso-out-topo}/api/v1/webssout
Here, {knox-sso-out-topo} is the name of the KnoxSSO out topology (knoxssout.xml).
In some cases simply deleting local cookies will terminate the session (CAS) in some cases a specially crafted logout request needs to be sent to the IdP (SAML), Knox should be able to seamlessly handle these cases. Fortunately, Pac4J does most of the heavy lifting for us, but there needs to be some more work done on the integration to make logout work seamlessly for Knox. The following sections will describe the logout flow.
SAML
