Single Sign-Out?

(Jay Van der Zant) #1

I’ve just implemented Discourse SSO (to my Identity Server 4 powered IDP, yay).

I take it there’s no single-sign-out capability, i.e. a ping to the IDP to let it know the user has signed-out, so they can be signed-out of the IDP and any other apps as well?

The situation where someone uses a public computer, signs-in to the IDP, uses Discourse, then signs-out of Discourse thinking they’re done, when actually they’re stilled signed-in with the IDP, which would allow anyone using the computer next to just click Sign-in to Discourse again and be authenticated without prompt concerns me.

(Bhanu Sharma) #2

Use Logout redirect to set your IDP logout link.

(Jay Van der Zant) #3

Oh awesome, thanks. Works a treat.

('Tunde Aromire) #4

Hi, I just implemented too. But it doesn’t redirect to the logout link for my website. Just logs out of discourse and attempts to login again.
Is there anyway I can force it to redirect or trigger an event that will log the user out of the other site?

(Bhanu Sharma) #5

That’d depend on how You’ve set up and what SSO engine you’re using! Can you describe your setup in a bit details?

('Tunde Aromire) #6

I followed to the letter, every instruction in this post: Official Single-Sign-On for Discourse (sso) i.e. setup the sso login url, receive the payload and secret, verify the secret, create a url encoded base64 payload and hashed payload which was received on the forum and automatically logs on the user.

However, the user is not logged off the website when I log out of discourse as well as when the user session on the main site expires.

(Bhanu Sharma) #7

Did you set the logout redirect to the logout link of your website?

('Tunde Aromire) #8

Oh, I didn’t see that. I just did now.


However, it still doesn’t solve the situation of user’s session expiration.

(Bhanu Sharma) #9

Is the session being expired from discourse or your website?

('Tunde Aromire) #10

It’s expired on my website.

(Bhanu Sharma) #11

You will have to do something to send discourse a signal that the user session is expired maybe you can try tinkering with API …

Other way I can think of is to reduce the discourse session time. This won’t actually sync logout on both platforms but will provide a leeway for sessions to be closed if a user is inactive for more than given time.

('Tunde Aromire) #12

Thanks so much, I really appreciate your help.