cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Build Work Zone Single logout (SLO) for a multitenant application does not work

Go to solution
FranciscoGarcia
Explorer

on ‎04-08-2024 3:18 PM

0 Kudos

Hi everyone,

We have a multitenant application, with a launchpad-module, deployed on a provider subaccount. When subscribing from a consumer’s subaccount, launchpad-module is returned as a dependency, so the consumer can access the launchpad. Also, for the consumer subaccount we have an IAS using OpenID Connect protocol, through which we can access the launchpad.

Due to a necessity of having UI5 and React applications together, we have created an SAP Build WorkZone launchpad, on consumer’s subaccount. In this new launchpad, we have added UI5 applications from multitenant application (Wee see our multitenant application as Content-Provider in Content Channels tab) and a React application.

The React application calls API “/users-api” to get the current user data. This call is made through multitenant router.

So, when we login the Build WorkZone launchpad, it looks like Single-Sign-On (SSO) is working fine, because we are getting access not only to the launchpad, but to the multitenant UI5 app and its data too, meaning that SSO is propagating to multitenant router.

The problem arrives while doing logout. Build WorkZone launchpad throws Single Logout (SLO) from IAS, but it looks like logout is not propagated to multitenant router, so, when we login again (With a different user) and call the “/users-api” we are getting the data from the previous user.

Is our approach wrong? There is a way to extend or override Build Work Zone standard logout process?

Thanks in advance.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Dinu
Contributor
‎04-10-2024 7:30 AM
0 Kudos

I don't think SLO works out of the box as you expect from Work Zone. Perhaps you can consult the SAP KB article mentioned in Work Zone documentation for this: 3000126 - Single logout is not working in Cloud Foundry

My reading is that the issue is not with approuter logout configuration or with xs-app.json configurations. These are for customizing logout url (default is do/logout) and triggering logout in connected backends respectively. It is simply that Work Zone does not know of how to trigger logout; there is no configuration for letting it know this.  Perhaps this not true for launchpad modules. But it is for other embedded applications. 

I could trigger logout of embedded applications in Work Zone from IAS by "Front Channel Logout" when Work Zone triggered logout of XSUAA.  Perhaps this works for you too. Please let know if it does. 

Show replies
Show replies
FranciscoGarcia
Explorer
‎04-11-2024 6:41 PM
0 Kudos

Hi @Dinu,

It looks like you were right. Setting the logout URL of the approuter in "Front Channel Logout" is closing the approtuer session correctely.

Thanks, 

Answers (2)

Answers (2)

nicorunge
Participant
‎04-12-2024 1:11 PM
0 Kudos

Hi @FranciscoGarcia,

sorry for hijacking your question, but did I get you right that your SaaS Subscriber subaccount is using an IAS with OIDC protocol?

Also, for the consumer subaccount we have an IAS using OpenID Connect protocol, through which we can access the launchpad.

Is this IAS provided by a customer (so coming from a different global account) or are you providing the IAS for your customers who subscribe to your SaaS application (so it's created in the same global account, where your application is running)?
I had a discussion here, with the result that it's not possible to connect external IAS via OIDC, only via SAML protocol. That's why I'm wondering what your exact situation is.

Thanks for any feedback!
BR,
Nico

 

Show replies
Show replies
FranciscoGarcia
Explorer
a month ago
0 Kudos

Hi @nicorunge,

No problem at all. Right, in our case we are working with an IAS binded to the Global Account. So, we can establish connection from "Establish Trust" button without problem.

Regards,

nicorunge
Participant
a month ago
0 Kudos
Thank you for your feedback!
Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎04-08-2024 5:16 PM
0 Kudos

Hi @FranciscoGarcia,

What did you enter on the xs-app.json file for your application? Do you have a logout end-point defined? What about a the logout html with the script that does log the user out.

Please the following blog (session entitled 'Logout'):

https://community.sap.com/t5/technology-blogs-by-sap/sap-application-router/ba-p/13393550

Best regards,
Ivan

Show replies
Show replies
FranciscoGarcia
Explorer
‎04-11-2024 6:33 PM
0 Kudos

Hi @Ivan-Mirisola ,

Indeed, I was missing logoutEndpoint from xs-security approuter. And, as @Dinu said, adding the logout URL of the approuter in "Front Channel Logout" of the IAS, it seems to work.

Thanks,

Ask a Question