Search

US-20260127311-A1 - LOGOUT MECHANISMS FOR PROVIDING PRIVACY PROTECTION

US20260127311A1US 20260127311 A1US20260127311 A1US 20260127311A1US-20260127311-A1

Abstract

The present disclosure relates to computer-implemented methods, software, and systems for a logout process at a portal web application that embeds one or more other applications. A request to logout a user from a user session at a portal web application is received. The portal web application embeds one or more other web application, where one or more other user sessions exist for the user. Instructions are sent to one or more logout endpoints at the one or more other web applications to trigger one or more logout processes to destroy the one or more other user sessions associated with the user. The user can be logged out by destroying the user session at the portal web application. A notification for a result of the logout for the user can be provided at the portal web application.

Inventors

  • Radoslav Ivanov Sugarev
  • Ivan Krastev Ikonomov

Assignees

  • SAP SE

Dates

Publication Date
20260507
Application Date
20241105

Claims (20)

  1. 1 . A computer-implemented method, comprising: receiving a request to logout a user from a user session at a portal web application; determining, at a logout endpoint at the portal web application, whether the portal web application embeds one or more other web applications, wherein one or more other user sessions exist for the user at the one or more other web applications; sending, by the logout endpoint at the portal web application, instructions to one or more logout endpoints at the one or more other web applications to trigger one or more logout processes and to destroy the one or more other user sessions associated with the user at the one or more other web applications; logging out the user by destroying the user session at the portal web application; and providing a notification for a result of the logout for the user at the portal web application.
  2. 2 . The computer-implemented method of claim 1 , wherein the received request to logout is a first request, and wherein the method further comprises: sending a second request to an identity provider to destroy a user session created for the user at the identity provider when the user was logged on the portal web application using the identity provider for an identity authentication.
  3. 3 . The computer-implemented method of claim 1 , wherein the logging out of the user from the user session at the portal web application is performed before the one or more logout processes triggered at the one or more other web applications are completed.
  4. 4 . The computer-implemented method of claim 1 , wherein the provided notification for the result is a first notification, and wherein providing the first notification for the result of the logout of the user at the portal web application comprises: receiving one or more notifications from one or more logout executions for the user at the one or more other user sessions, the one or more logout executions being performed at an identity provider associated with the one or more other web applications.
  5. 5 . The computer-implemented method of claim 4 , wherein the identity provider associated with the one or more other web applications is identical to an identity provider used for authenticating the user for the user session at the portal web application.
  6. 6 . The computer-implemented method of claim 1 , wherein providing the notification for the result of the logout comprises providing one or more statuses of execution of the one or more logout processes as triggered by the one or more logout endpoints at the one or more other web applications.
  7. 7 . The computer-implemented method of claim 1 , wherein determining whether the portal web application embeds the one or more other web applications comprises: obtaining input from an identity provider for at least one more user session associated with the user that is existing at the identity provider for the user and is associated with at least one web application embedded in the portal web application, wherein authentication at the at least one web application embedded in the portal web application is performed at the identity provider.
  8. 8 . The computer-implemented method of claim 1 , wherein determining whether the portal web application embeds the one or more other web applications comprises: obtaining a notification from an identity provider, the notification being indicative of another user session for the user at another web application embedded in the portal web application.
  9. 9 . The computer-implemented method of claim 7 , wherein determining whether the portal web application embeds the one or more other web applications comprises: determining, by the logout endpoint at the portal web application, whether an additional embedded web application to the portal web application is registered with another identity provider for executing user authentication, wherein sending, by the logout endpoint at the portal web application, instructions, comprises: sending further instructions to another identity provider for triggering a logout process to destroy a user session associated with the user at the additional embedded web application.
  10. 10 . The computer-implemented method of claim 1 , comprising: receiving a new request to log-in at the portal web application by another user; in response to receiving the request, determining whether another user is associated with an existing user session; in response to determining that another user is not associated with an existing user session, triggering an authentication of another user at an identity provider; and in response to determining that another user is associated with an existing user session, providing access to another user to resources at a first other web application embedded in the portal web application upon authentication for the first other web application without performing a new authentication for another user at the portal web application.
  11. 11 . A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform one or more operations, comprising: receiving a request to logout a user from a user session at a portal web application; determining, at a logout endpoint at the portal web application, whether the portal web application embeds one or more other web applications, wherein one or more other user sessions exist for the user at the one or more other web applications; sending, by the logout endpoint at the portal web application, instructions to one or more logout endpoints at the one or more other web applications to trigger one or more logout processes and to destroy the one or more other user sessions associated with the user at the one or more other web applications; logging out the user by destroying the user session at the portal web application; and providing a notification for a result of the logout for the user at the portal web application.
  12. 12 . The non-transitory, computer-readable medium of claim 11 , wherein the received request to logout is a first request, and wherein the operations further comprise: sending a second request to an identity provider to destroy a user session created for the user at the identity provider when the user was logged on the portal web application using the identity provider for an identity authentication.
  13. 13 . The non-transitory, computer-readable medium of claim 11 , wherein the logging out of the user from the user session at the portal web application is performed before the one or more logout processes triggered at the one or more other web applications are completed.
  14. 14 . The non-transitory, computer-readable medium of claim 11 , wherein the provided notification for the result is a first notification, and wherein providing the first notification for the result of the logout of the user at the portal web application comprises: receiving one or more notifications from one or more logout executions for the user at the one or more other user sessions, the one or more logout executions being performed at an identity provider associated with the one or more other web applications.
  15. 15 . The non-transitory, computer-readable medium of claim 14 , wherein the identity provider associated with the one or more other web applications is identical to an identity provider used for authenticating the user for the user session at the portal web application.
  16. 16 . The non-transitory, computer-readable medium of claim 11 , wherein providing the notification for the result of the logout comprises providing one or more statuses of execution of the one or more logout processes as triggered by the one or more logout endpoints at the one or more other web applications.
  17. 17 . The non-transitory, computer-readable medium of claim 11 , wherein determining whether the portal web application embeds the one or more other web applications comprises: obtaining input from an identity provider for at least one more user session associated with the user that is existing at the identity provider for the user and is associated with at least one web application embedded in the portal web application, wherein authentication at the at least one web application embedded in the portal web application is performed at the identity provider.
  18. 18 . The non-transitory, computer-readable medium of claim 11 , wherein determining whether the portal web application embeds the one or more other web applications comprises: obtaining a notification from an identity provider, the notification being indicative of another user session for the user at another web application embedded in the portal web application.
  19. 19 . A computer-implemented system, comprising: one or more computers; and one or more computer memory devices interoperably coupled with the one or more computers and having tangible, non-transitory, machine-readable media storing one or more instructions that, when executed by the one or more computers, perform one or more operations, comprising: receiving a request to logout a user from a user session at a portal web application; determining, at a logout endpoint at the portal web application, whether the portal web application embeds one or more other web applications, wherein one or more other user sessions exist for the user at the one or more other web applications; sending, by the logout endpoint at the portal web application, instructions to one or more logout endpoints at the one or more other web applications to trigger one or more logout processes and to destroy the one or more other user sessions associated with the user at the one or more other web applications; logging out the user by destroying the user session at the portal web application; and providing a notification for a result of the logout for the user at the portal web application.
  20. 20 . The computer-implemented system of claim 19 , wherein the received request to logout is a first request, and wherein the non-transitory, machine-readable media further stores instructions, which when executed by the one or more computers perform operations comprising: sending a second request to an identity provider to destroy a user session created for the user at the identity provider when the user was logged on the portal web application using the identity provider for an identity authentication.

Description

TECHNICAL FIELD The present disclosure relates to computer-implemented methods, software, and systems for access management and security. BACKGROUND Software applications can provide services and access resources. Resources may be restricted to a limited number of users based on user rights and roles. Tokens, credentials, keys, or other suitable methods and tools can be used to authenticate requests to gain access to restricted resources. Applications can be provided in a shared context where one application can be accessible through another application. When a user requests access to a resource at one application, the user may be validated to determine whether the user is authorized to access the resource, which can happen through an identity provider. If a user requests access through navigating between multiple applications, the user may be validated at each application to perform authentication based on similar or different authentication rules. SUMMARY The present disclosure describes mechanisms to implement a logout process at a portal web application that embedded one or more other applications. In some implementations, a method includes: receiving a request to logout a user from a user session at a portal web application; determining, at a logout endpoint at the portal web application, whether the portal web application embeds one or more other web applications, wherein one or more other user sessions exist for the user at the one or more other web applications; sending, by the logout endpoint at the portal web application, instructions to one or more logout endpoints at the one or more other web applications to trigger one or more logout processes and to destroy the one or more other user sessions associated with the user at the one or more other web applications; logging out the user by destroying the user session at the portal web application; and providing a notification for a result of the logout for the user at the portal web application. In some instances, the received request to logout is a first request, and wherein the method further includes: sending a second request to an identity provider to destroy a user session created for the user at the identity provider when the user was logged on the portal web application using the identity provider for an identity authentication. In some instances, the logging out of the user from the user session at the portal web application is performed before the one or more logout processes triggered at the one or more other web applications are completed. In some instances, the provided notification for the result is a first notification, and wherein providing the first notification for the result of the logout of the user at the portal web application includes: receiving one or more notifications from one or more logout executions for the user at the one or more other user sessions, the one or more logout executions being performed at an identity provider associated with the one or more other web applications. In some instances, the identity provider associated with the one or more other web applications can be identical to an identity provider used for authenticating the user for the user session at the portal web application. In some instances, providing the notification for the result of the logout includes providing one or more statuses of execution of the one or more logout processes as triggered by the one or more logout endpoints at the one or more other web applications. In some instances, determining whether the portal web application embeds the one or more other web applications includes obtaining input from an identity provider for at least one more user session associated with the user that is existing at the identity provider for the user and is associated with at least one web application embedded in the portal web application, wherein authentication at the at least one web application embedded in the portal web application is performed at the identity provider. In some instances, determining whether the portal web application embeds the one or more other web applications includes: obtaining a notification from an identity provider, the notification being indicative of another user session for the user at another web application embedded in the portal web application. In some instances, determining whether the portal web application embeds the one or more other web applications includes: determining, by the logout endpoint at the portal web application, whether an additional embedded web application to the portal web application is registered with another identity provider for executing user authentication. Sending instructions can include sending further instructions to another identity provider for triggering a logout process to destroy a user session associated with the user at the additional embedded web application. In some instances, the method further includes: receiving a new request to log-in at the portal web application by anothe