Issue with Persistent Session after Logout in Open OnDemand with SSO

I’m encountering an issue with the logout process in Open OnDemand where, after logging out, the session appears to end as expected. However, when I re-enter the URL, I am not prompted to log in again; it seems the session is still active and recognizes me, bypassing the need for re-authentication. This issue is peculiar to Open OnDemand in our setup, as other services utilizing the same SSO (Single Sign-On) implementation do not exhibit this problem, leading me to believe the issue might lie with Open OnDemand’s handling of the logout process rather than the SSO itself.

Here’s a summary of my SSO configuration for Open OnDemand

  • “AuthType openid-connect”
  • “Require valid-user”

logout_redirect: “

user_map_cmd: “/opt/ood/ood_auth_map/bin/”

oidc_uri: “/oidc”

oidc_provider_metadata_url: “
oidc_client_id: “openondemand”
oidc_client_secret: ***************

oidc_scope: “openid email”
oidc_session_inactivity_timeout: 28800
oidc_session_max_duration: 28800
oidc_state_max_number_of_cookies: “10 true”

OIDCPassIDTokenAs: “serialized”
OIDCPassRefreshToken: “On”
OIDCPassClaimsAs: “environment”
OIDCStripCookies: “mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1”
OIDCResponseType: “code”

I am using Open OnDemand version 3.0.3, and this issue occurs across all web browsers, including Chrome, Firefox, and Edge, and persists even when using private or incognito modes.

Has anyone experienced a similar issue, or does anyone have insights on potential configuration adjustments that might resolve this persistent session problem? Any guidance or suggestions would be greatly appreciated.

OOD does not fully logout until at least the tab (but maybe even the browser) is closed.

1 Like

that’s how it’s currently working for me, but I don’t think that’s correct, is it?

I just tried at OSC and it works for us. Here’s the configuration that we use in ood_portal.yml. Instead of redirecting to the IDP we redirect to the oidc_uri with the query parameter. We use OIDC too. So maybe it’s an issue of logging out the user on the apache instance, not the OIDC.

logout_redirect: "/oidc?logout=https%3A%2F%2F%{hiera('openondemand::servername')}"
1 Like

This resolved the issue, and everything is working perfectly now. Thank you for your help!