Try out the single logout function with single sign-on, and HTTP sesssion persistence backed by JCache in the March 2018 beta of WebSphere Liberty.

Thanks to your support for our regular beta programme, we are able to release new Liberty features every few months. Check out the 18.0.0.1 release of WebSphere Liberty which is built on the 18.0.0.1 release of Open Liberty. Both were released today. Look out for more betas over the coming months. If you just can’t wait, take a look at the daily builds of Open Liberty.

Follow Open Liberty happenings on @OpenLibertyIO.

What’s new in this beta?

Get it now! Ask a question about the beta

Single logout with SAML Web single sign-on (SSO)

Liberty as a SAML service provider is now equipped with the SAML single logout function which allows users to terminate all the login sessions established using SAML Web single sign-on (SSO). This single logout function can be initiated from either the service provider or the identity provider.

Using SAML Web SSO, the user logs in to the identity provider once and receives unlimited access to different web applications without additional login prompts. It is not easy for the end user to be aware of all the opened web sessions and, as a result, they can end up with orphaned log-in sessions which might pose a security risk.

This new SAML single logout (SLO) function enables near-simultaneous logout of an end user. It also allows the users to terminate all their login sessions with one click of a mouse button and can be initiated from service provider or identity provider.

To enable the SSO feature in the server.xml:

<featureManager>
   <feature>samlWeb-2.0</feature>
</featureManager>

To configure the Liberty service provider (SP) for SAML single logout:

Liberty SingleLogoutService URL takes the format https://<hostname>:<sslport>/ibm/saml20/<SP configuration ID>/slo, and can be found from the Liberty SP’s metadata (https://<hostname>:<sslport>/ibm/saml20/<SP configuration ID>/samlmetadata).

For an identity provider-initiated (Idp) single logout, no additional configuration step is required. Liberty SP listens to the logout request on the SingleLogoutService URL, and automatically responds to the single logout request.

To create a logout button for the SP to start an SP-initiated single logout, your logout button must redirect the web browser to the URL https://<host:sslport>/ibm/saml20/<<SP configuration ID>/logout. When a user clicks the logout button, the Liberty SP automatically starts the single logout request and redirects the user to the post-logout page to indicate logout status after the logout has completed. You can use the new postLogoutRedirectUrl SAML configuration attribute to specify a customized post logout landing page.

HTTP session persistence backed by JCache

This feature provide a beta of the ability to have WebSphere Application Server Liberty persist HTTP sessions to a JCache (Java Caching) provider in place of a database.

Enable the sessionCache-1.0 feature in server.xml and configure the httpSessionCache configuration element to point at any JCache 1.1 spec compliant Java Caching provider. The httpSessionCache element accepts a URI to provider specific configuration and has a nested properties element that accepts generic key/value pairs for properties that are supplied to the JCache provider:

<featureManager>
   <feature>servlet-4.0</feature>
   <feature>sessionCache-1.0</feature>
</featureManager>
 
<httpSessionCache libraryRef="HazelcastLib" uri="file:${shared.resource.dir}/hazelcast/hazelcast-client.xml">
   <properties prop1="value1"/>
</httpSessionCache>

<library id="HazelcastLib">
   <file name="/usr/lib/hazelcast.jar"/>
</library>

To find out more, see Andy Guibert’s new blog post on adding distributed in-memory session caching to your Java apps or check out the WebSphere Liberty Knowledge Center docs.

What’s already in there?

The February Liberty beta included a preview of MicroProfile 1.3: MicroProfile Rest Client 1.0, MicroProfile Config 1.2, and MicroProfile OpenAPI 1.0

MicroProfile 1.3 is now fully-supported in WebSphere Liberty 18.0.0.1, which was released today.

Looking for the latest?

If you’re visiting this post from the future and you’re looking for the latest releases of Liberty, here are the links you’re looking for:

Latest beta release
Latest stable release

Get it now! Ask a question on Stack Overflow

2 comments on"Try out single logout with single sign-on in the March Liberty beta"

  1. we are looking for session persistence across multiple Liberty instances in a farm and this can be a potential solution.
    will we have sessionCache-1.0 , in the Q2 Liberty release [18.0.0.2]?

    • Andy Guibert March 22, 2018

      We are aiming to have the sessionCache-1.0 feature ready for 18.0.0.2, but can’t commit publicly to the feature being available in any given release.

Join The Discussion

Your email address will not be published. Required fields are marked *