You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/spring-apps/how-to-configure-enterprise-spring-cloud-gateway.md
+32Lines changed: 32 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -122,6 +122,38 @@ You can also view or edit those properties in the Azure portal, as shown in the
122
122
>
123
123
> After configuring SSO, remember to set `ssoEnabled: true` for the Spring Cloud Gateway routes.
124
124
125
+
## Configure single sign-on (SSO) logout
126
+
127
+
VMware Spring Cloud Gateway service instances provide a default API endpoint to log out of the current SSO session. The path to this endpoint is `/scg-logout`. You can accomplish one of the following two outcomes depending on how you call the logout endpoint:
128
+
129
+
- Logout of session and redirect to IdP logout.
130
+
- Just logout the service instance session.
131
+
132
+
### Logout of IdP and SSO session
133
+
134
+
If you send a GET request to the `/scg-logout` endpoint, then the endpoint will send a 302 redirect response to the IdP logout URL. To get the endpoint to return the user back to a path on the gateway service instance, add a redirect parameter to the GET `/scg-logout` request. For example, `${serverUrl}/scg-logout?redirect=/home`.
135
+
136
+
The following steps describe an example of how to implement the function in your microservices.
137
+
138
+
1. You need [a route config](https://github.com/Azure-Samples/animal-rescue/blob/0e343a27f44cc4a4bfbf699280476b0517854d7b/frontend/azure/api-route-config.json#L32) to route the logout request to your application.
139
+
140
+
1. In that application, you can add whatever logout logic you need. At the end, you need to [send a get request](https://github.com/Azure-Samples/animal-rescue/blob/0e343a27f44cc4a4bfbf699280476b0517854d7b/frontend/src/App.js#L84) to the gateway's `/scg-logout` endpoint.
141
+
142
+
> [!NOTE]
143
+
> The value of the redirect parameter is a valid path on the gateway service instance. You can't redirect to an external URL.
144
+
145
+
### Log out just the SSO session
146
+
147
+
If you send the GET request to the `/scg-logout` endpoint using a `XMLHttpRequest` (XHR), then the 302 redirect could be swallowed and not handled in the response handler. In this case, the user would only be logged out of the SSO session on the gateway service instance and would still have a valid IdP session. The behavior typically seen in this case is that if the user attempts to log in again, they are automatically sent back to the gateway as authenticated from IdP.
148
+
149
+
You need to have a route configuration to route the logout request to your application, as shown in the following example. This code will make a gateway-only logout SSO session.
150
+
151
+
```java
152
+
const req =newXMLHttpRequest();
153
+
req.open("GET", "/scg-logout);
154
+
req.send();
155
+
```
156
+
125
157
## Configure cross-origin resource sharing (CORS)
126
158
127
159
Cross-origin resource sharing (CORS) allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. The available CORS configuration options are described in the following table.
0 commit comments