When using Domino for authentication, I would provide a logout link with ../names.nsf?logout and the user would be logged out.
In a new system, using an OIDC login (MS Entra), I want to provide the same logout capability. How do I do this?
I am running Domino version 12.0.2. I can see from the documentation that version 14 provides for back channel logout for OIDC, but I am not sure if this is something different to what I am talking about.
The OpenID Connect (OIDC) family of specs supports logout (from a single application) and global (or single) logout (from all applications that the user has logged into through the OpenID Provider, OP). With OIDC, you have the option of
for logout.
With Domino 14, OIDC back-channel logout is supported. Back-channel logout requests are accepted on the Domino server's callback URL -- either /names.nsf?OIDCLogin or /auth/protocol/oidc.
See What's new in Domino 14? - Web user login with OIDC enhancements.
If you prefer Front-Channel Logout, you need to register the logout endpoints for all your applications with Azure AD Application registration. Then you need to add code to your application that listens for logout requests from other applications and logs the user out when a request is received.
const config = {
auth: {
clientId: "your_app_id",
redirectUri: "your_app_redirect_uri", //defaults to application start page
postLogoutRedirectUri: "your_app_logout_redirect_uri",
},
};
const myMsal = new PublicClientApplication(config);
// you can select which account application should sign out
const logoutRequest = {
account: myMsal.getAccountByHomeId(homeAccountId),
};
myMsal.logoutRedirect(logoutRequest);
The code above is from https://learn.microsoft.com/en-us/answers/questions/1532499/entra-id-openid-single-sign-out where you can also find more info.