Identity provider logout
-
Hi,
I have a fusionauth configured to use an external identity provider.
My application is logging into fusionauth, which redirect to the identity provider: it works fine.Now I wonder how should be the logout workflow ?
My application calls the fusionauth logout endpoint and it works fine (my user is logged out from my app and from fusionauth), but the user is still logged into the external identity provider ...- Shoudn't fusionauth call the external identity provider logout endpoint ?
Because otherwise, the user is still logged on
Thank you,
Quenta -
@quent Thanks for the question!
To note, each IdP will handle logout differently. It would be hard for FusionAuth to know how to log each user out of disparate systems. Killing each user session is specific to that IdP implementation. In the FusionAuth logout process, we will call a logout endpoint of your choosing. In that endpoint, you could have your integration call the IdP to remove the user's session.
I hope this helps!
Josh
-
@joshua Thank you for answer
True, it is still possible to handle that logout.Maybe in future Fusionauth could have an additional and optionnal logout endpoint in IdentityProvider settings ...
I prefer the application not to know much about the IdP, (i.e not calling it directly and not knowing its URLs) and let Fusionauth deal with the authentication/logout workflow.Tho, I do understand the answer
-
Q quent has marked this topic as solved on
-
@quent I understand your position, and we appreciate the feedback.
Can you please create a github issue linking to this forum post and with as much detail as you can provide (including, perhaps, sample logout urls provided by IdPs you are interested in)?
