Bug 1386529

Summary: Logout URL (logoutURL) cannot be set for each multiple authentication providers
Product: OpenShift Container Platform Reporter: Kenjiro Nakayama <knakayam>
Component: RFEAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED DEFERRED QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.2.0CC: aos-bugs, jokerman, knakayam, mbarrett, mmccomas, ssorce, sspeiche, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-12 13:54:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kenjiro Nakayama 2016-10-19 08:20:22 UTC 
Description of problem:
===
- Logout URL (logoutURL) is not set for each of multiple authentication providers

Version-Release number of selected component (if applicable):
===
- OCP 3.3 (Hopefully, backport to 3.2)

How reproducible:
===
Steps to Reproduce:
1. Set up multiple authentication providers
2. OpenID needs this logoutURL:
  ~~~
  assetConfig:
    ...
    logoutURL: "https://$YOUR_KEYCLOAK_SERVER/auth/realms/$YOUR_REALM/protocol/openid-connect/logout?redirect_uri=https://$YOUR_OPENSHIFT_SERVER/console"
  ~~~
  - However, another authentication providers doenn't want to redirect this URL.

Expected results:
===
- "logoutURL" can be set for each authentication providers.

Info
===
- Doc of logoutURL
https://docs.openshift.com/container-platform/3.3/install_config/web_console_customization.html#changing-the-logout-url
Comment 1 Jordan Liggitt 2016-10-19 14:50:50 UTC 
Correct, only a single remote logout URL is currently supported. Integrating with multiple possible logout URLs (different per session based on authentication provider) would be a new feature.
Comment 5 Jordan Liggitt 2016-10-27 04:42:04 UTC 
tracked in https://trello.com/c/N1S5e73M
Comment 6 Simo Sorce 2017-12-13 17:00:13 UTC 
We'd like to solve this problem by deferring to an external IdP like Keycloak. Is that an acceptable solution ?
If not, why not ?
Comment 7 Kenjiro Nakayama 2018-01-05 00:57:12 UTC 
Hi, I'm sorry for my delay. The original requested customer already closed the ticket and I believe that it is not critical their env anymore. Then, when I have consider about c#6, it would be alright if the final goal (setting logout URL for each auth provides) could be achieved by using an external IDP.
Comment 9 Eric Rich 2018-03-12 13:54:36 UTC 
This bug has been identified as a dated (created more than 3 months ago) bug. 
This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, 
however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. 

As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, 
as it is currently not part of the products immediate priorities.

Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.