Hi there,
I’m currently using Sonarqube v.7 with sonar-auth-oidc plugin for SSO. Is there a way to configure the logout url so that it logs-out my SSO provider session? Currently logout does not actually end SSO session.
Thanks
Hi there,
I recall a similar exchange here:
Ultimately I have to say I’m a bit surprised by this kind of ask. Especially when I try to map it to other examples. Let’s say you have a Google account, and use Google SSO to authenticate in another website (foo.com , logged-in with your Google account). At this stage:
- signing out from foo.com does not sign you out from your main Google account (e.g. on gmail.com)
- signing out from Google (e.g. gmail.com) does not immediately sign you out from external websites such as foo.com (only logged out after session timeout)
The behaviour is similar with SonarQube: OAuth integration helps with one-click log-in, but the logged-in sessions (and related logout) are then independent from each other.
More specifically regarding logout in SonarQube: SonarQube does not provide any extension point on the logout action, precisely because it does not intend to let you drive further actions from that (other than logging user out of SonarQube).
Note that you still have control over an inactivity timeout on SonarQube side (sonar.web.sessionTimeoutInMinutes in sonar.properties, defaults to 3 days), which lets you define after which period of inactivity should the user be logged-out from SonarQube (at which point if the user tries to reuse SonarQube, then he’ll land on the login page).