In VCFA Tenant Manager 9.0+, a vIDM tenant user cannot complete a full SSO logout without proper endpoint configuration. This occurs for two reasons:

1. vIDM Instance:
The vIDM instance is not aware of the final redirect endpoint in its allowed redirect endpoints list. Therefore, the user cannot be redirected back to Tenant Manager.

In OpenID, this redirect endpoint is known as the `post_logout_redirect_uri`. We will use this variable name for conceptual clarity, even though vIDM does not expressly support it as it is named. This KB primarily exists to address this missing property.

2. VCFA Tenant Manager:
The VCFA Tenant Manager is unaware of the vIDM upstream logout endpoint, from which the SSO upstream logout occurs. Within OpenID, this is known as the `end_session_endpoint`.
Tenant Manager is also unaware of the endpoint to redirect to once upstream logout is complete. In OpenID, this is known as the `post_logout_redirect_uri`.

Without the variables set properly on both sides, users are unable to be logged out of SSO upstream or be redirected back to the Tenant Manager login page. If a user attempts to login a second time after an incomplete Tenant Manager logout, they will not be asked to provide credentials and will be logged into the IDP-linked Tenant Manager user.

VCF Automation 9.0.x

Incomplete vIDM SSO logout can be the result of 3 primary misconfigurations or some combination of them:

1. TM `end_session_endpoint` variable is unset:
If Tenant Manager does not have a value set for `end_session_endpoint`, upstream logout cannot occur. In this case, a user attempting to logout will redirect to the Tenant Manager login page. On a secondary login, they will not be asked to provide credentials and will start a new session as the previous user.

2. Allowed logout redirect endpoints are unset on vIDM instance:
If the TM login endpoint is not included as an allowed redirect endpoint in vIDM, vIDM will be unable to handle redirecting the user back to Tenant Manager.

3. TM `end_session_endpoint` does not have a query `rel` property set with the same value from scenario 2:
If the `end_session_endpoint` doesn't contain the TM login redirect as a `rel` property in its query, vIDM will be unable to handle redirecting the user back to Tenant Manager. THIS VALUE MUST EXACTLY MATCH THE VALUE IN STEP 2.

A. Update Allowed Redirect Endpoints in the vIDM Instance:

The vIDM instance allowed redirect endpoints list must be updated via `https://<VIDM_HOST>/SAAS/jersey/manager/api/authsettings/allowedredirects`.

This can be done through the following steps:

1. Acquire a system administrator token (this is the administrator account in SYSTEM domain):

curl --location 'https://<VIDM_HOST>/SAAS/API/1.0/REST/auth/system/login' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--d '{ \
"username" : "<admin-username>", \
"password" : "<admin-password>", \
"issueToken" : "true" \
}'

2. Get the current list of allowed redirect URIs:

curl --location 'https://<VIDM_HOST>/SAAS/jersey/manager/api/authsettings/allowedredirects' \
--header 'Authorization: HZN <tep-1-sys-admin-token>' \

3. Add the `post_logout_redirect_uri` to the allowed redirects list and post it back to update the vIDM instance:

curl --location 'https://<VIDM_HOST>/SAAS/jersey/manager/api/authsettings/allowedredirects'
--header 'Authorization: HZN <step-1-sys-admin-token>'
--header 'Content-Type: application/vnd.vmware.horizon.manager.authsettings.allowedredirects+json'
--d '{ \
"allowedRedirects": [ \
... <original-allowed-redirect-entries> ... \
<post_logout_redirect_uri> \
] \
}'

The `post_logout_redirect_uri` should now be successfully registered as an allowed endpoint in the vIDM tenant instance.

B. Configuring `end_session_endpoint` with VCFA Tenant Manager (Only necessary for greenfield vIDM tenants):

This part is only necessary for new vIDM tenants who have not already been registered with Tenant Manager.
Tenants that have been pre-registered in Tenant Manager will have this part done automatically during migration.

The Tenant Manager must have its OpenID Provider configuration modified with the proper `end_session_endpoint`. This involves two pieces that MUST be correctly formatted:
- Upstream logout endpoint: Points to the upstream logout endpoint for the vIDM user. Navigating here effectively logs out of vIDM.
- Post-logout redirect query value: Points to the Tenant Manager login endpoint. This endpoint is the same value as the `post_logout_redirect_uri` in part A. This redirect occurs after the redirect to the `end_session_endpoint`. This will be added as query param "dest".

The full `end_session_endpoint` should be formatted like so: 'https://<upstream-logout-endpoint>?dest=<post_logout_redirect_uri>'.

Follow the below steps to properly configure `end_session_endpoint` in TM:


1. Log in to Tenant Manager to secure an access token (this command will print out the final TM access token):

   * Note: “/provider” should follow “/sessions” only when logging into the system org. The organization to be logged into is included in the basic authorization username argument formatted like “<username>@<organization>”; e.g. administrator@System, testUser@testOrg.

       curl -s -D - -o /dev/null --location --request POST 'https://<TENANT_MANAGER_HOST>/cloudapi/1.0.0/sessions/[provider]' \
       --header 'Accept: application/json;version=40.0' \
       --header 'Content-Type: application/json' \
       --header 'Authorization: Basic <encoded-basic-auth-string>' \
       | grep -i "^x-vmware-vcloud-access-token:"  \
       | awk '{print $2}' \
       | tr -d ''

2. Fetch the current OAuth settings for the desired org:

curl 'https://<TENANT_MANAGER_HOST>/api/admin/org/<org-id>/settings/oauth' \
-H 'accept: application/*+json;version=40.0' \
-H 'authorization: Bearer <access-token-from-step-1>' \
-H 'content-type: application/*+json'

3. Reformat the fetched payload with the desired `end_session_endpoint`.
* Note: It is very important that `postLogoutRedirectUri`` is NULL in this payload. This value is unsupported by itself in vIDM and is the reason its equivalent
is appended to the `end_session_endpoint`.

{
...
"endSessionEndpoint" : <end-session-endpoint>,
"postLogoutRedirectUri" : null
...
}

4. Update the OAuth settings with the new reformatted payload with redirects set:

curl 'https://<TENANT_MANAGER_HOST>/api/admin/org/<org-id>/settings/oauth' \
-X 'PUT' \
-H 'accept: application/*+json;version=40.0' \
-H 'authorization: Bearer <access-token-from-step-1>' \
-H 'content-type: application/*+json' \
--data-raw '<flattened-payload-with-redirect-attributes-set>'

Once part A and B have been completed, vIDM SSO logout should be fully functional. Please refer to the Causes section for troubleshooting.