Integrations: Automated Sign Out from OpenID Provider

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. There are multiple public OpenID identity providers that an administrator can use for authorizing users, such as Microsoft and Google identity platforms, OneLogin, and Okta.

In MYOB Acumatica, an administrator can configure integration with multiple OpenID providers for a system tenant or multiple tenants.

Usually, when a user signs in to MYOB Acumatica with an OpenID provider, the user remains signed in with the identity provider even after signing out from the system.

In some cases—for example, to comply with legal requirements—it might be necessary to terminate a session with the identity provider when a user signs out of MYOB Acumatica.

MYOB Acumatica Construction Edition 2024.2.1 introduces the ability to configure automated sign-out from the identity provider.

Configuring Automated Sign-Out

The new Logout Settings section has been added on the Authentication Settings tab of the OpenID Providers (SM303020) form (see the following screenshot). With these settings specified, when a user signs out of MYOB Acumatica, the system redirects the user to the sign-out page of the OpenID provider that was used to sign in to MYOB Acumatica. The system also sends a sign-out request to the provider to automatically sign the user out. After successful signing out, the system redirects the user back to the MYOB Acumatica sign-in page.

Figure 1. The settings to configure automated sign-in from an OpenID provider


To configure this behavior, the administrator selects the Perform Logout From Provider check box, and the system makes the Logout Endpoint box required. In this box, the administrator specifies the sign-out endpoint for the OpenID provider. Alternatively, if the OpenID provider supports discovery requests, the administrator can click the Autoconfiguration button on the tab, and the system will automatically fill in the value.

Then the administrator clicks View Redirect URIs on the form toolbar, and the system opens the Redirect URIs dialog box. In the dialog box, the administrator copies the value from the Post Logout Redirect URI box. In the configuration settings for MYOB Acumatica on the OpenID provider platform, the administrator pastes the value to make the OpenID provider redirect a user back to the MYOB Acumatica sign-in page. (The place to paste the link may differ, depending on the OpenID provider.)

In some cases, a user should not be redirected back to the MYOB Acumatica sign-in page after they sign out from the OpenID provider. To support this system behavior, the administrator selects the Do Not Redirect Back After Logout check box in the Logout Settings section on the Authentication Settings tab of the OpenID Providers form. In this case, the administrator does not need to specify a corresponding redirect URI in the configuration settings for MYOB Acumatica on the OpenID provider platform.