necouchman commented on code in PR #280: URL: https://github.com/apache/guacamole-manual/pull/280#discussion_r2729871462
########## src/openid-auth.md.j2: ########## @@ -81,6 +81,72 @@ extension does not have priority: extension-priority: *, openid ``` +(openid-single-logout)= + +### Single Logout (SLO) + +By default, logging out of Guacamole will only terminate the Guacamole session, +leaving the user's session with the OpenID Connect identity provider intact. If +the user logs back in without the identity provider session having expired, +they will be automatically logged back in without needing to re-enter their +credentials. + +To enable Single Logout, configure the `openid-logout-endpoint` property with +the identity provider's logout endpoint. When configured, logging out of +Guacamole will redirect the user to the identity provider's logout endpoint, +terminating both the Guacamole session and the identity provider session. + +#### Single Logout configuration properties + +The following optional properties control Single Logout behavior: + +`openid-logout-endpoint` +: The logout endpoint (URI) of the OpenID Connect identity provider. When + configured, users will be redirected to this endpoint when they log out from + Guacamole, allowing them to also log out from the identity provider. If not + set, logout will only terminate the Guacamole session. + + For identity providers that implement OpenID Connect Discovery, this value can + be retrieved from the `end_session_endpoint` property of the JSON file hosted + at `https://identity-provider/.well-known/openid-configuration`. + + This property can also be set using the `OPENID_LOGOUT_ENDPOINT` environment + variable. + +`openid-post-logout-redirect-uri` +: The URI that the identity provider should redirect to after logout is + complete. If not specified, the value of `openid-redirect-uri` will be used as + the default. + + This URI must be registered with your identity provider as an allowed + post-logout redirect URI. + + This property can also be set using the `OPENID_POST_LOGOUT_REDIRECT_URI` + environment variable. Review Comment: I'm not sure you need to specifically document these properties, here - I think they will end up being pull in in the section, above, where the other optional properties get pulled in. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
