How to do a logout from SiteMinder session for a Pivotal Cloud Foundry hosted JSP/Servlet application?

Question

I am having a JSP/Servlet based application running on Pivotal Cloud Foundary and using Siteminder for authentication.

The logout we implemented but is unsuccessful currentnly includes

• clearing of request.getSession().invalidate()
• followed by clearing of cookiesn (request.getCookies followed by setting MaxAge of all cookies to 0)
• followed by calling of the siteminder provided /logout url in new popup window
• followed by window.location as PCF Logout for logout from the PCF application.

With above steps the logout is not successful. However if I do the Shift+Cntrl+Del and delete the cookies --> then the logout works successful. So programmatically I want to achieve the same behavior using Servlet and JSP.

Thanks in advance!

Answer 1

Using the Pivotal SSO Tile, there are two steps you need to do to make this work.

First, you need to set up your plan using the Layer7 SiteMinder Integration Guide.

As is listed there...

Single Sign‑On supports service provider-initiated authentication flow and single logout.

This is a fairly complicated process and very specific to your provider. The only tip I can give you here is to do things exactly like in the docs. It's very easy to break stuff, so following exactly what's written gives you the best chance for success.

Once you get your plan set up, the second part would be to create a service instance using the plan & bind that to your app. Then follow the instructions for integrating your app.

The part to take specific note about, which is what handles the single logout is documented in the API here.

The logout endpoint is meant to be used by applications to log the user out of the UAA session. UAA will only log a user out of the UAA session if they also hit this endpoint, and may also perform Single Logout with SAML providers if configured to do so.

If you follow the docs for creating your service plan, it will be configured to do single logout, so you just need to make sure this endpoint is called after logging a user out in your app.

There's an example of how you'd do this for Spring Boot apps here.

    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
        UriComponents url = UriComponentsBuilder.fromHttpUrl(request.getRequestURL().toString())
                .replacePath("")
                .build();
        UriComponents redirectUrl = UriComponentsBuilder.fromHttpUrl(ssoServiceUrl)
                .path("/logout.do")
                .queryParam("client_id", clientId)
                .queryParam("redirect", url.toString())
                .build();
        response.sendRedirect(redirectUrl.toString());
    }

To explain, this code get's invoked by Spring after a successful logout. The code here is simply creating a URL to the /logout.do endpoint & issuing a redirect to the client. This is what's described in the doc link above.