Product: TIBCO Spotfire Server
Versions: 10.3 and above
Summary:
This article talks about ways to logout of the active Spotfire session(internal/embedded) on the logout event of the external session.
Details:
At times OIDC, External Authentication or Custom Web Authentication can be used for a seamless login into Spotfire when embedding Spotfire analytics into web applications etc.
There needs to be some arrangements made into the custom web apps to handle the logout of the internal Spotfire session on the logout of the external sessions in order to have a seamless experience. Otherwise the internal Spotfire session should remain valid even if the external session is invalidated.
Resolution:
The best way to do this would be to use pretty short session timeouts at the Spotfire level and just logout the external session and wait for the Spotfire session to expire.
https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/absolute_session_timeout_and_idle_session_timeout.html
In version 10.10 and before :
There was also a logout.jsp page which could be reached on http://<spotfireserverhost>:<port>/spotfire/logout.jsp to invalidate the session. Note that this is however an internal and undocumented endpoint.
https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-48491
In version 11.0 and above :
- The logout.jsp is no more present hence cannot be reached.
- The /spotfire/auth/v1/generic-frontchannel-logout works almost exactly like the previous /spotfire/logout.jsp. This new endpoint can be disabled/enabled, and actually is disabled by default. It can be enabled using security.logout.frontchannel-logout.enabled configuration property.
- https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/set-config-prop.html?scroll=GUID-6BE4B3BC-B9E0-4345-9259-7BD035D2D3B9
If single sign-on (SSO) is used to authenticate to the Spotfire Server then there are the below options available as well :
- Front-channel logout
- Back-channel logout
- RP-initiated logout
- Post-Logout URI
For more information, refer the manual on Single logout(SLO)
https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/single_logout_slo.html
You can see these options in the OpenID Connect panel and in Security panel of the Configuration Tool.
Note: Front-channel logout depends on the use of third-party cookies and might not work in all or later updated browsers.