Configuring BMC Helix SSO to support immediate logout from all applications

You can configure the Redis server as a message broker between the BMC Helix Single Sign-On server and the BMC Helix SSO agent or Auth proxy to support immediate logout from all applications.

How single logout works

For users logged into multiple BMC Helix applications, BMC Helix SSO validates the user session with the BMC Helix SSO server at regular intervals and refreshes the cache, to keep users logged in as long as the session is valid. Single logout logs out a user from all applications when the user logs off from any one application.

Single logout without Redis server configuration

With the single logout option enabled for a realm, when a user working on multiple applications in the same browser session, logs out from any one of the applications, the BMC Helix SSO server invalidates the browser session. However, the default caching on the BMC Helix SSO agent enables users to navigate applications open in other browser tabs for a specific time interval.

Single logout with Redis server configuration

When the single logout option is enabled for a realm, and the BMC Helix SSO server and agent are configured with a Redis server, the BMC Helix SSO server sends all revoked access tokens to the Redis server's message queue. The BMC Helix SSO agents subscribed to the Redis server's message queue are notified and they invalidate the cache for the session without any delay, logging the user out from all BMC Helix applications. 

This option applies to all applications:

  • Configured with the Redis server data
  • Accessed from the same realm
  • Accessed in the same browser session
  • For which agents work by the oidc-scoped flow, that is, each agent is based on an OAuth2 client. The OAuth clients may vary for each application agent. 

For more information about configuring the BMC Helix SSO server with Redis server, see To configure the BMC Helix SSO server with the Redis server.

Related topics

Configuring-general-settings-for-a-realm

Login-and-logout-experience-for-end-users

Before you begin

The single logout option must be enabled.

For more information about enabling this option, see Single logout.

To configure the BMC Helix SSO server with the Redis server

Due to the cache maintained by the BMC Helix SSO agent, the single logout is not immediate. To expedite single logout, the BMC Helix SSO SaaS administrator can configure the Redis server: 

  1. In the BMC Helix SSO Admin Console, select Service > Redis.
  2. Specify the following attributes:

    • Redis URI: Enter the Redis server URI; for example, redis-uri=redis://clm-tlv-vulqmf.bmc.com:6379.
    • Password: Enter the password required to access the Redis server. Setting the password is optional.
    • Channel: Enter the Redis channel for messaging; for example, redis-channel=500.

3. Click Update.

The Redis configuration is applied to the BMC Helix SSO server and is effective only if BMC Helix SSO:

  • Uses Auth Proxy as a sidecar container
  • Uses the BMC Helix SSO agent.

For more information about configuring the BMC Helix SSO agent, see Configuring the BMC Helix SSO agent.

Important

The Redis configuration can be accessed only by the SAAS_TENANT.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*