diff options
| author | Quentin Gliech <quenting@element.io> | 2022-10-31 18:07:30 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-31 13:07:30 -0400 |
| commit | cc3a52b33df72bb4230367536b924a6d1f510d36 (patch) | |
| tree | 1a3bf6576c1a4d0239cbe3354fa348793e0b7aaa /docs/usage/configuration | |
| parent | Bump sentry-sdk from 1.5.11 to 1.10.1 (#14330) (diff) | |
| download | synapse-cc3a52b33df72bb4230367536b924a6d1f510d36.tar.xz | |
Support OIDC backchannel logouts (#11414)
If configured an OIDC IdP can log a user's session out of Synapse when they log out of the identity provider. The IdP sends a request directly to Synapse (and must be configured with an endpoint) when a user logs out.
Diffstat (limited to 'docs/usage/configuration')
| -rw-r--r-- | docs/usage/configuration/config_documentation.md | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index 97fb505a5f..44358faf59 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -3021,6 +3021,15 @@ Options for each entry include: which is set to the claims returned by the UserInfo Endpoint and/or in the ID Token. +* `backchannel_logout_enabled`: set to `true` to process OIDC Back-Channel Logout notifications. + Those notifications are expected to be received on `/_synapse/client/oidc/backchannel_logout`. + Defaults to `false`. + +* `backchannel_logout_ignore_sub`: by default, the OIDC Back-Channel Logout feature checks that the + `sub` claim matches the subject claim received during login. This check can be disabled by setting + this to `true`. Defaults to `false`. + + You might want to disable this if the `subject_claim` returned by the mapping provider is not `sub`. It is possible to configure Synapse to only allow logins if certain attributes match particular values in the OIDC userinfo. The requirements can be listed under |