diff options
| author | clokep <clokep@users.noreply.github.com> | 2022-10-31 17:08:23 +0000 |
|---|---|---|
| committer | clokep <clokep@users.noreply.github.com> | 2022-10-31 17:08:23 +0000 |
| commit | 17eb445323a7374e8570e162f79916150b6311cf (patch) | |
| tree | d024039fa9f22b6dfe9c9725bb532947dab50016 /develop/print.html | |
| parent | deploy: 44f0d573cf57772b7f53e918d0c3580cba4fde32 (diff) | |
| download | synapse-17eb445323a7374e8570e162f79916150b6311cf.tar.xz | |
deploy: cc3a52b33df72bb4230367536b924a6d1f510d36
Diffstat (limited to 'develop/print.html')
| -rw-r--r-- | develop/print.html | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/develop/print.html b/develop/print.html index 748bc824e8..2dae861d99 100644 --- a/develop/print.html +++ b/develop/print.html @@ -5817,6 +5817,17 @@ without modifications.</p> which is set to the claims returned by the UserInfo Endpoint and/or in the ID Token.</p> </li> +<li> +<p><code>backchannel_logout_enabled</code>: set to <code>true</code> to process OIDC Back-Channel Logout notifications. +Those notifications are expected to be received on <code>/_synapse/client/oidc/backchannel_logout</code>. +Defaults to <code>false</code>.</p> +</li> +<li> +<p><code>backchannel_logout_ignore_sub</code>: by default, the OIDC Back-Channel Logout feature checks that the +<code>sub</code> claim matches the subject claim received during login. This check can be disabled by setting +this to <code>true</code>. Defaults to <code>false</code>.</p> +<p>You might want to disable this if the <code>subject_claim</code> returned by the mapping provider is not <code>sub</code>.</p> +</li> </ul> <p>It is possible to configure Synapse to only allow logins if certain attributes match particular values in the OIDC userinfo. The requirements can be listed under @@ -7225,6 +7236,10 @@ maintainer.</p> setting in your configuration file. See the <a href="usage/configuration/config_documentation.html#oidc_providers">configuration manual</a> for some sample settings, as well as the text below for example configurations for specific providers.</p> +<h2 id="oidc-back-channel-logout"><a class="header" href="#oidc-back-channel-logout">OIDC Back-Channel Logout</a></h2> +<p>Synapse supports receiving <a href="https://openid.net/specs/openid-connect-backchannel-1_0.html">OpenID Connect Back-Channel Logout</a> notifications.</p> +<p>This lets the OpenID Connect Provider notify Synapse when a user logs out, so that Synapse can end that user session. +This feature can be enabled by setting the <code>backchannel_logout_enabled</code> property to <code>true</code> in the provider configuration, and setting the following URL as destination for Back-Channel Logout notifications in your OpenID Connect Provider: <code>[synapse public baseurl]/_synapse/client/oidc/backchannel_logout</code></p> <h2 id="sample-configs"><a class="header" href="#sample-configs">Sample configs</a></h2> <p>Here are a few configs for providers that should work with Synapse.</p> <h3 id="microsoft-azure-active-directory"><a class="header" href="#microsoft-azure-active-directory">Microsoft Azure Active Directory</a></h3> @@ -7282,6 +7297,8 @@ to install Dex.</p> </code></pre> <h3 id="keycloak"><a class="header" href="#keycloak">Keycloak</a></h3> <p><a href="https://www.keycloak.org/docs/latest/server_admin/#sso-protocols">Keycloak</a> is an opensource IdP maintained by Red Hat.</p> +<p>Keycloak supports OIDC Back-Channel Logout, which sends logout notification to Synapse, so that Synapse users get logged out when they log out from Keycloak. +This can be optionally enabled by setting <code>backchannel_logout_enabled</code> to <code>true</code> in the Synapse configuration, and by setting the "Backchannel Logout URL" in Keycloak.</p> <p>Follow the <a href="https://www.keycloak.org/getting-started">Getting Started Guide</a> to install Keycloak and set up a realm.</p> <ol> <li> @@ -7305,6 +7322,8 @@ to install Dex.</p> <tr><td>Client Protocol</td><td><code>openid-connect</code></td></tr> <tr><td>Access Type</td><td><code>confidential</code></td></tr> <tr><td>Valid Redirect URIs</td><td><code>[synapse public baseurl]/_synapse/client/oidc/callback</code></td></tr> +<tr><td>Backchannel Logout URL (optional)</td><td> <code>[synapse public baseurl]/_synapse/client/oidc/backchannel_logout</code></td></tr> +<tr><td>Backchannel Logout Session Required (optional)</td><td> <code>On</code></td></tr> </tbody></table> <ol start="5"> <li>Click <code>Save</code></li> @@ -7328,6 +7347,7 @@ to install Dex.</p> config: localpart_template: "{{ user.preferred_username }}" display_name_template: "{{ user.name }}" + backchannel_logout_enabled: true # Optional </code></pre> <h3 id="auth0"><a class="header" href="#auth0">Auth0</a></h3> <p><a href="https://auth0.com/">Auth0</a> is a hosted SaaS IdP solution.</p> |