Verifying Session Management as a method for ending OP session?

[graham-cs]

Hello,

We are setting up an Open OnDemand test server that uses mod_auth_openidc 2.4.16.11 with apache 2.4.62 per https://osc.github.io/ood-documentation/latest/authentication/oidc.html. OneLogin is the OpenID Connect Provider (OP). OIDC login and logout is generally working as expected. When logging out we see redirects to https://organization.onelogin.com/oidc/2/logout?id_token_hint=[token]&post_logout_redirect_uri=https%3A%2F%2Ftest.site, and the OP session ends as expected when 'keep me signed in' is not set.

However, when 'keep me signed in' is set for the OP session, OIDC logouts aren't ending the OP session and users are automatically logged back in.

After reading https://github.com/OpenIDC/mod_auth_openidc/wiki/OpenID-Connect-Session-Management#logout and looking at the OP OIDC metadata (https://organization.onelogin.com/oidc/2/.well-known/openid-configuration) we see an entry for "end_session_endpoint":"https://organization.onelogin.com/oidc/2/logout". Is there any other way to tell if the OP supports session management? The OneLogin logout documentation is fairly sparse and we don't have direct access to open a support ticket.

We also saw the note in https://github.com/OpenIDC/mod_auth_openidc/wiki#9-how-do-i-logout-users about making sure the logout redirect is not a mod_auth_openidc protected URL: https://test.site is not protected, however there is a redirect from the root url to a dashboard page protected by mod_auth_openidc. For testing we tried changing the logout redirect to a non-protected page with no subsequent redirect. In this case, when we load the dashboard page after logging out, the continuing OP session still results in mod_auth_openidc automatically logging the user back in.

any thoughts are greatly appreciated. we can provide further details if that would be helpful.

[graham-cs]

After additional testing and some slow back and forth with the OpenID Provider, OneLogin, we just heard back from their support:

After further discussion with our product team, we confirmed that the logout endpoint does not currently work with the “Keep Me Signed In” option. This behavior has not been acknowledged as a defect but rather classified as an enhancement request.

As a workaround we have updated logout_redirect to a public page ("/oidc?logout=https://test.site/public/logout.html") with a warning about the ‘Keep Me Signed In’ option and a link to the OneLogin dashboard to log out from there if needed.

If anyone else uses OneLogin once our ‘enhancement request’ is processed we can post a link as:

Once submitted, the request will be evaluated by our [(OneLogin)] product team and prioritized based on customer votes.