Single Sign-out
Single sign-out (SSO) signs a user out of a secured application and clears both the remote application session generated by the identity provider and the local Pomerium session.
OIDC Front-Channel Logout
Pomerium supports Front-Channel Logout as described in OpenID Connect Front-Channel Logout 1.0 - draft 04.
Identity provider support
See if your identity provider (IdP) supports Front-Channel Logout by checking your IdP’s /.well-known/openid-configuration
endpoint. If your IdP supports it, you may see something similar to the JSON data below:
{
"frontchannel_logout_session_supported": true
}
Configure single sign-out
To correctly implement SSO, you must register a frontchannel_logout_uri
for your application that includes the path /.pomerium/sign_out
.
The frontchannel_logout_uri
must match the external route in your policy. For example, app.corp.example.com/.pomerium/sign_out
.
If configured correctly, the following actions occur:
- The proxy service receives the sign-out request and clears the local Pomerium session
- The proxy service redirects the request to the authenticate service URL’s
/.pomerium/sign_out
endpoint - The authentication service clears the remote application session
While it is possible to implement SSO using the authenticate service URL and the /.pomerium/sign_out
endpoint, this method is not recommended.
Signing out with the authenticate service URL won’t delete the session cookie on the route itself. To terminate the remote application and Pomerium sessions, you must point sign-out requests to the external route.
Well-known Pomerium endpoint
See Pomerium's /.well-known/pomerium
endpoint to view OAuth, OIDC, and JWKS data.
For example:
{
"authentication_callback_endpoint": "https://authenticate.localhost.pomerium.io/oauth2/callback",
"jwks_uri": "https://authenticate.localhost.pomerium.io/.well-known/pomerium/jwks.json",
"frontchannel_logout_uri": "https://authenticate.localhost.pomerium.io/.pomerium/sign_out"
}
Note, a CSRF token is required for the single sign out endpoint (despite supporting GET
and POST
) and can be retrieved from the X-CSRF-Token
response header on the well known endpoint above or using the _pomerium_csrf
session set.
Single sign-out example with Pomerium
The example below demonstrates how to correctly implement SSO using the JavaScript SDK:
export const signOut = (redirectUrl) => {
let location = window.location.origin + '/.pomerium/sign_out';
if (redirectUrl) {
location += '?pomerium_redirect_uri=' + encodeURIComponent(redirectUrl);
}
window.location.href = location;
};
In the example above, the signOut
function appends the /.pomerium/sign_out
endpoint to the external route URL, then redirects the user.
From here, the proxy service clears the external route session and redirects the user to the authenticate service URL to clear the Pomerium session.