Single Sign-Out?

I’ve just implemented Discourse SSO (to my Identity Server 4 powered IDP, yay).

I take it there’s no single-sign-out capability, i.e. a ping to the IDP to let it know the user has signed-out, so they can be signed-out of the IDP and any other apps as well?

The situation where someone uses a public computer, signs-in to the IDP, uses Discourse, then signs-out of Discourse thinking they’re done, when actually they’re stilled signed-in with the IDP, which would allow anyone using the computer next to just click Sign-in to Discourse again and be authenticated without prompt concerns me.

Use Logout redirect to set your IDP logout link.

8 Likes

Oh awesome, thanks. Works a treat.

1 Like

Hi, I just implemented too. But it doesn’t redirect to the logout link for my website. Just logs out of discourse and attempts to login again.
Is there anyway I can force it to redirect or trigger an event that will log the user out of the other site?
Thanks.

That’d depend on how You’ve set up and what SSO engine you’re using! Can you describe your setup in a bit details?

1 Like

I followed to the letter, every instruction in this post: Official Single-Sign-On for Discourse (sso) i.e. setup the sso login url, receive the payload and secret, verify the secret, create a url encoded base64 payload and hashed payload which was received on the forum and automatically logs on the user.

However, the user is not logged off the website when I log out of discourse as well as when the user session on the main site expires.

Did you set the logout redirect to the logout link of your website?

2 Likes

Oh, I didn’t see that. I just did now.

Thanks.

However, it still doesn’t solve the situation of user’s session expiration.

Is the session being expired from discourse or your website?

1 Like

It’s expired on my website.

You will have to do something to send discourse a signal that the user session is expired maybe you can try tinkering with API …

Other way I can think of is to reduce the discourse session time. This won’t actually sync logout on both platforms but will provide a leeway for sessions to be closed if a user is inactive for more than given time.

5 Likes

Thanks so much, I really appreciate your help.

3 Likes