Single Sign-On and Single Logout

Single Sign-On

GENESIS provides Single Sign-On (SSO) for OIDC and SAML. When web login is enabled, and a user already has an active session with the configured identity provider (IdP), GENESIS does not prompt for credentials—the browser-based login flow completes transparently, and the user is signed in automatically.

SSO is not the same as Windows Integrated Authentication (Kerberos), which allows GENESIS to use a user's existing Windows session without opening a browser at all.

Single Logout (SLO)

When web logout is configured, logging out of a GENESIS application also initiates a logout request to the identity provider. This ends the user's session at the identity provider, not just within GENESIS.

To enable the single logout, open Workbench and in Project Explorer, go to Security > Global Settings and select the In-house applications use web logout checkbox.

When selected, a Logout button in Web HMI and in desktop applications, such as GraphWorX or Workbench, opens a web browser to log out the user on the web, and to initiate single logout from external IdPs.

To initiate the web logout process, the user must click the Logout button in WebHMI or a GENESIS desktop application. Other logout events (such as automatic logout due to inactivity or after all clients disconnect) do not initiate a web logout.

Single logout is supported for both OIDC and SAML.

  • OIDC Single Logout

    GENESIS can initiate Relying Party/Client Initiated Logout, but does not support the IdP Initiated Logout (neither Front-Channel or Back-Channel logout).

  • SAML Single Logout

    SAML Single Logout requires having SAML certificates set up. Learn more

    When connected to a SAML external IdP, GENESIS can participate in both Service Provider (SP) Initiated Logout and IdP Initiated Logout.

    When the IdP initiates the logout, GENESIS logs out the user specified in the SAML logout request from any session to which the user logged in through SAML. GENESIS uses the <NameID> element from the logout request to do the matching.

    The SAML Single Logout feature depends on session cookies stored in the web browser. If the browser is closed after a SAML login, the single logout will typically not work. This depends on the web browser and its settings (Firefox, for example, keeps the cookies after restarting under certain conditions), and can be a concern for non-web-based applications, such as GraphWorX or Workbench.