Single logout (SLO)

Single logout (SLO) means that when a user that was logged in through some means of single sign-on (SSO) signs out of a particular application, the user will also be logged out from other applications in the same session. The Spotfire Server supports various forms of single logout - either initiating the logout, because the user logged out of the Spotfire Server, or acting on an event where the user logged out from some other application (by logging the user out of the Spotfire Server as well).

The easiest way to set up SLO is to use OpenID Connect (OIDC). The OIDC options are configured using either the config-oidc command or the OpenID Connect panel of the Configuration Tool.

The Spotfire Server also supports a couple of other options, not tied to OIDC. You can configure generic front-channel logout and a post-logout URI using the Security panel of the Configuration Tool.

RP-initiated logout

RP-initiated logout means that a user who is accessing the Spotfire Server through a Relying Party (RP) (e.g., a web browser application, not through Spotfire Analyst) that explicitly logs out (i.e., it is not applicable when sessions expire) will be redirected to the OIDC provider to be logged out there as well.

It is also possible to specify generic (non-OIDC) SLO using the set-config-prop command and the configuration property security.logout.post-logout-uri, which is then set to the URI to which the user's browser should be redirected after logging out.

Front-channel logout

Front-channel logout means that a Spotfire user (who is using a web browser) who logs out of the provider is also logged out of Spotfire Server by the provider loading the front-channel logout URI.

It is also possible to specify generic (non-OIDC) SLO using the set-config-prop command and the configuration property security.logout.frontchannel-logout.enabled. This enables an endpoint, available at /spotfire/auth/v1/generic-frontchannel-logout, to which the user's browser should be redirected to perform a logout.

Note: Front-channel logout depends on the use of third-party cookies and might not work in all browsers. Consider using back-channel logout instead.

Back-channel logout

Back-channel logout means that when a user logs out of the provider then the provider will make a request to the Spotfire Server to log out the user there as well.

See also Configuring OpenID Connect and Manually editing the server configuration in an XML or text editor or Manually editing the server configuration in the configuration tool.

JavaScript must be enabled in order to use this site.Please enable JavaScript in your browser and refresh the page.

Single logout (SLO)

Single logout (SLO) means that when a user that was logged in through some means of single sign-on (SSO) signs out of a particular application, the user will also be logged out from other applications in the same session. The Spotfire Server supports various forms of single logout - either initiating the logout, because the user logged out of the Spotfire Server, or acting on an event where the user logged out from some other application (by logging the user out of the Spotfire Server as well).

The easiest way to set up SLO is to use OpenID Connect (OIDC). The OIDC options are configured using either the config-oidc command or the OpenID Connect panel of the Configuration Tool.

The Spotfire Server also supports a couple of other options, not tied to OIDC. You can configure generic front-channel logout and a post-logout URI using the Security panel of the Configuration Tool.

RP-initiated logout

RP-initiated logout means that a user who is accessing the Spotfire Server through a Relying Party (RP) (e.g., a web browser application, not through Spotfire Analyst) that explicitly logs out (i.e., it is not applicable when sessions expire) will be redirected to the OIDC provider to be logged out there as well.

It is also possible to specify generic (non-OIDC) SLO using the set-config-prop command and the configuration property security.logout.post-logout-uri, which is then set to the URI to which the user's browser should be redirected after logging out.

Front-channel logout

Front-channel logout means that a Spotfire user (who is using a web browser) who logs out of the provider is also logged out of Spotfire Server by the provider loading the front-channel logout URI.

It is also possible to specify generic (non-OIDC) SLO using the set-config-prop command and the configuration property security.logout.frontchannel-logout.enabled. This enables an endpoint, available at /spotfire/auth/v1/generic-frontchannel-logout, to which the user's browser should be redirected to perform a logout.

Note: Front-channel logout depends on the use of third-party cookies and might not work in all browsers. Consider using back-channel logout instead.

Back-channel logout

Back-channel logout means that when a user logs out of the provider then the provider will make a request to the Spotfire Server to log out the user there as well.

See also Configuring OpenID Connect and Manually editing the server configuration in an XML or text editor or Manually editing the server configuration in the configuration tool.