From 5d10fd5c2306328e7fb8d446c911ea09ea1ce585 Mon Sep 17 00:00:00 2001 From: Joshua Kuestersteffen Date: Wed, 22 Apr 2026 14:18:36 -0500 Subject: [PATCH 1/2] feat(#10650): document SSO max_age setting --- content/en/hosting/SSO/overview.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/content/en/hosting/SSO/overview.md b/content/en/hosting/SSO/overview.md index 686b303ec..8e0a37cab 100644 --- a/content/en/hosting/SSO/overview.md +++ b/content/en/hosting/SSO/overview.md @@ -40,10 +40,17 @@ SSO authentication is implemented with the industry standard [OpenID Connect](ht 4. Before logging into the CHT, each SSO user must have a CHT user [provisioned with an "SSO Email Address"](/building/reference/api/#/User/v3UsersPost) that matches the email address configured for the user with the OIDC Provider. 5. Use the "Login with SSO" button on the CHT login page. +### Require re-authentication + +By default, SSO Authentication will use the user's current session with the OIDC Provider (if one exists). If the user is already logged in and has an active session with the OIDC Provider, the user may be automatically logged in to the CHT when clicking the "Login with SSO" button (without actually needing to re-authenticate). + +In some cases, this behavior is not desired and the user should be required to re-authenticate with the OIDC provider. You can define the maximum allowed age of the user's current session with the OIDC Provider, after which the user will be required to re-authenticate when logging into the CHT even if their session is still active. Set the `oidc_provider.max_age` setting to the allowable elapsed time in seconds since the last time the user was actively authenticated by the OIDC Provider. If the elapsed time is greater than this value, the user will be required to re-authenticate. + +Setting `max_age: 0` will always require re-authenticating with the OIDC Provider when logging into the CHT. + ## Detailed Guides For more detailed guides and requirements, see the following documents: - {{< cards >}} {{< card link="../keycloak" title="KeyCloak" icon="key" >}} {{< card link="../entra" title="Microsoft Entra" icon="lock-open" >}} From e2797470724d05f271df7808bdbd737aa5685cf9 Mon Sep 17 00:00:00 2001 From: Joshua Kuestersteffen Date: Fri, 24 Apr 2026 09:51:42 -0500 Subject: [PATCH 2/2] Add more details about when you might want to use max_age. --- content/en/hosting/SSO/overview.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/content/en/hosting/SSO/overview.md b/content/en/hosting/SSO/overview.md index 8e0a37cab..7b5e51ec4 100644 --- a/content/en/hosting/SSO/overview.md +++ b/content/en/hosting/SSO/overview.md @@ -42,9 +42,15 @@ SSO authentication is implemented with the industry standard [OpenID Connect](ht ### Require re-authentication -By default, SSO Authentication will use the user's current session with the OIDC Provider (if one exists). If the user is already logged in and has an active session with the OIDC Provider, the user may be automatically logged in to the CHT when clicking the "Login with SSO" button (without actually needing to re-authenticate). +{{< callout >}} +Added in TODO +{{< /callout >}} + +By default, SSO Authentication will use the user's current session with the OIDC provider (if one exists). If the user has already authenticated with the OIDC provider and has an active session on the device, the user may be automatically logged in to the CHT when clicking the "Login with SSO" button (without actually needing to re-authenticate with the OIDC provider). + +In some cases, this behavior is not desired and the user should be required to re-authenticate with the OIDC provider. For example, if you have multiple users sharing the same device, it may be challenging for an SSO user to log out of the CHT and have a different user log in to the CHT. The previous user's active session with the OIDC provider might get used during the SSO login flow (even though the previous user's _CHT session_ was ended when they logged out). This results in the new user being logged into the CHT account for the previous user. -In some cases, this behavior is not desired and the user should be required to re-authenticate with the OIDC provider. You can define the maximum allowed age of the user's current session with the OIDC Provider, after which the user will be required to re-authenticate when logging into the CHT even if their session is still active. Set the `oidc_provider.max_age` setting to the allowable elapsed time in seconds since the last time the user was actively authenticated by the OIDC Provider. If the elapsed time is greater than this value, the user will be required to re-authenticate. +To avoid this behavior, you can define the maximum allowed age of the user's current session with the OIDC Provider, after which the user will be required to re-authenticate when logging into the CHT even if their session is still active. Set the `oidc_provider.max_age` setting to the allowable elapsed time in seconds since the last time the user was actively authenticated by the OIDC Provider. If the elapsed time is greater than this value, the user will be required to re-authenticate. Setting `max_age: 0` will always require re-authenticating with the OIDC Provider when logging into the CHT.