Logout with multiple subdomains

ext_figuvini

Hello guys!

I have a very specific problem that I can't seem to find a solution for. I've recently hosted my own community edition version of FusionAuth to test the integrations with my application, before migrating fully to it. We use Okta currently, but it does not support our needs anymore.

The way my application works is that, the single application creates multiple subdomains for my clients. So, for instance, a client might have access to the domain https://backerstats.localhost/ (using localhost for example purposes) as an admin and a player, and to the domain https://pokerstats.localhost/ as an admin. This is all handled in the same application, where we would put all available domain login URLs for the users with no problems:

The login was configured with SSO and works fine. But now, when getting the the Logout, even though we have the Logout Behavior set for "All Applications", when I logout from a subdomain (like https://backerstats.localhost/), it works out normally, but I stay logged in on any other domains I might have accessed. For instance, if I had accessed https://pokerstats.localhost/ and then came back to https://backerstats.localhost/ to logout, and then navigated back to https://pokerstats.localhost/ I'd still be logged in on it.

My question here would be: Do I need a separate application for every single subdomain, or is there a way to make it so the logout works for every subdomain of the application?

Thanks in advance.

mark.robustelli

@ext_figuvini this is an interesting use case. I would think the way you have it configured would work. I would have to recreate you situation to test. Unfortunately it may be a while before I can get that done. I should be able to take a look next week. If anyone has experience with this, please feel free to chime in.

mark.robustelli

@ext_figuvini after reading your post again, I think I read it differently. The way the SSO logout works is that on logout, FusionAuth calls all the logout urls for each applications. It would seem that you are correct in that creating an application for each subdomain makes sense and would work. (You can create applications through the API so you should be able to automate this.) Can you try this for a few domains and confirm it works?

ext_figuvini

@mark-robustelli Hey, Mark! Thank you so much for taking your time to answer me.

So, I was going to try to create new application, but talking to the other devs I have on this project, we figured out we currently have about 700 different domains (each client gets a domain for his access), and this is on a legacy PHP/Zend application, so you can imagine how painful it is to change all the implementations.

Currently, I think it'd be unviable to create one application for each different domain, because it'd be a nightmare to manage 700 different applications in the dashboard, so I'd be happier with being able to sync logouts in a single application. I've considering doing some manual hacking (like creating a global cookie that gets info from each domain cookie and then killing all of them), but I'd like to know if anyone else here had success with this kind of scenario without having to pull out the hacky stuff.

Thanks again!