I’ve just implemented Discourse SSO (to my Identity Server 4 powered IDP, yay).
I take it there’s no single-sign-out capability, i.e. a ping to the IDP to let it know the user has signed-out, so they can be signed-out of the IDP and any other apps as well?
The situation where someone uses a public computer, signs-in to the IDP, uses Discourse, then signs-out of Discourse thinking they’re done, when actually they’re stilled signed-in with the IDP, which would allow anyone using the computer next to just click Sign-in to Discourse again and be authenticated without prompt concerns me.
Hi, I just implemented too. But it doesn’t redirect to the logout link for my website. Just logs out of discourse and attempts to login again.
Is there anyway I can force it to redirect or trigger an event that will log the user out of the other site?
Thanks.
I followed to the letter, every instruction in this post: Official Single-Sign-On for Discourse (sso) i.e. setup the sso login url, receive the payload and secret, verify the secret, create a url encoded base64 payload and hashed payload which was received on the forum and automatically logs on the user.
However, the user is not logged off the website when I log out of discourse as well as when the user session on the main site expires.
You will have to do something to send discourse a signal that the user session is expired maybe you can try tinkering with API …
Other way I can think of is to reduce the discourse session time. This won’t actually sync logout on both platforms but will provide a leeway for sessions to be closed if a user is inactive for more than given time.