Global logout

Applies to version: 2023 R1 and above; author: Krystyna Gawryał

Introduction

Version 2023 R1 of WEBCON BPS introduced the functionality to invalidate all active user sessions with the Global logout button. When the button is pressed, the user is logged out of all environments and platforms that use cookie-based authentication, including web browser tabs and windows, the mobile app, WEBCON BPS Teams, Outlook Classic, and Outlook Modern add-ins.

This article outlines the key considerations related to this functionality and provides instructions for its use.
 

Assumptions, design and configuration

The fundamental objective of the global logout functionality is to enhance user security by preventing unauthorized access to the system. Previously, there were instances where, despite logging out of Portal, the user's session remained active, e.g. on another device, potentially allowing outsiders to access confidential information.

By default, the user menu in Portal displays a single Logout button. This button enables users to log out of a single user session.
 

The visibility of other buttons (or combinations of buttons) is dependent on the settings configured in Designer Studio. In the Security window (System Settings → Global Parameters), you will find the parameter WEBCON BPS Portal logout behavior. In addition to the previously mentioned default option of logging out of a single session, a new setting has been introduced that allows users to Log out from all sessions.

When this option is selected (①) and the changes are saved (②), a Logout button will be available in the user menu in Portal, allowing users to log out from a single session, and, below that, a Global logout button, allowing users to log out from all sessions on all devices.

If necessary, it is also possible to Force logging out from all sessions. In this case, only the Global logout button is available in the user menu; when selected, the user is logged out of all sessions on all devices.

Note: Making security changes requires system administrator privileges and restarting Portal and Designer Studio each time.

Additional configuration

The Windows Authentication method in Internet Information Services (IIS) is the primary method for verifying the identity of users attempting to access resources on a web server. It is a key authentication method in enterprise environments where Active Directory integration and security are of paramount importance. It leverages existing Windows user credentials, eliminating the need for users who are logged on to their computers in the domain to re-enter their logins or passwords.

The method is well-suited for automatic authentication in websites and web applications where users are usually already logged in to the Windows domain. However, due to the nature of its operation, it does not allow for the termination of all active user sessions with the Global logout button.

Accordingly, supplementary configuration steps must be undertaken and the Windows Authentication method deactivated. To do so:

1. Launch IIS Manager on your computer by selecting Control Panel → System and Security → Administrative Tools → Internet Information Services (IIS) Manager.
    

2. In the left panel of the navigation tree, select the server and then the WEBCONBPS site for which authentication will be configured.

3. In the middle Features panel, find and click on Authentication.
    

You will see a list of available authentication methods.

4. Right-click on the Windows Authentication method and select Disable. After a short period of time, its status will change to Disabled.
    

5. Make sure that the Basic Authentication method is also set to Disabled. You may now close the IIS Manager.

Testing the functionality

To test the functionality, the configuration steps mentioned above were carried out. The user then logged in to Portal on two different browsers (Microsoft Edge and Google Chrome), selecting the same authentication provider and entering the same user data. In Microsoft Edge , the Global logout button was selected.

This action was followed by a standard message in the same window:

In contrast, Google Chrome displayed a message indicating that the session had expired:

This was followed by a redirect to the login page:

The cookies were invalidated, and the user was successfully logged out of all active sessions.

Additional information: new metric for OpenTelemetry

Along with the new functionality that facilitates logging out of all sessions, a new OpenTelemetry metric has been introduced. This metric is accessible through the “webcon-workflow-portal-ticket-store-cache” module allowing the display of user authorization identifiers currently stored in the cache memory.

Detailed information about OpenTelemetry in WEBCON BPS can be found at https://community.webcon.com/posts/post/opentelemetry-in-webcon-bps/403/3.