Description of problem: - User logout action from OpenShift console uses logoutRedirect URL for all identityProviders, when more than 1 identityProviders are used. Version-Release number of selected component (if applicable): OCP 4.7 How reproducible: 100% Steps to Reproduce: 1. OCP has 2 identityProviders [OpenID and LDAP (Active Directory)] 2. Configure logoutRedirect URL for OpenID identityProvider as explained in this doc [1] to perform single logout from SSO session as well from OCP logout. 3. Login using a user authenticated against Active Directory. When this user logs out, the request is sent to logoutRedirect URL. [1] https://docs.openshift.com/container-platform/4.7/web_console/configuring-web-console.html#web-console-configuration_configuring-web-console Actual results: - Logout action is redirected to logoutRedirect URL for all identityProviders instead of OpenID. Expected results: - Other IdentityProviders are not redirected to logoutRedirect URL. Additional info:
This came in late in the sprint, haven't had a chance to investigate yet.
Hi, hshukla. Can you open this as an RFE in JIRA? We understand the use case and agree there's a need for this. The current API as designed sets the logout redirect for all console users regardless of IDP, however. We'd need to work with the auth team to create a new API for specifying a redirect per IDP. Currently the console has no way to know what IDP the user logged in using since that is managed by the OAuth server.
Sounds good to me Samuel, I'll open a RFE. I felt this was a flaw hence I opened a BZ. Thanks.