Skip to content

feat(#10650): document SSO max_age setting #2197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jkuester wants to merge 2 commits into
base: main
Choose a base branch
from
+14 −1
Open

feat(#10650): document SSO max_age setting #2197

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5d10fd5
feat(#10650): document SSO max_age setting
jkuester Apr 22, 2026
e279747
Add more details about when you might want to use max_age.
jkuester Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion content/en/hosting/SSO/overview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,23 @@ SSO authentication is implemented with the industry standard [OpenID Connect](ht
4. Before logging into the CHT, each SSO user must have a CHT user [provisioned with an "SSO Email Address"](/building/reference/api/#/User/v3UsersPost) that matches the email address configured for the user with the OIDC Provider.
5. Use the "Login with SSO" button on the CHT login page.

### Require re-authentication

{{< callout >}}
Added in TODO
{{< /callout >}}

By default, SSO Authentication will use the user's current session with the OIDC provider (if one exists). If the user has already authenticated with the OIDC provider and has an active session on the device, the user may be automatically logged in to the CHT when clicking the "Login with SSO" button (without actually needing to re-authenticate with the OIDC provider).

In some cases, this behavior is not desired and the user should be required to re-authenticate with the OIDC provider. For example, if you have multiple users sharing the same device, it may be challenging for an SSO user to log out of the CHT and have a different user log in to the CHT. The previous user's active session with the OIDC provider might get used during the SSO login flow (even though the previous user's _CHT session_ was ended when they logged out). This results in the new user being logged into the CHT account for the previous user.

To avoid this behavior, you can define the maximum allowed age of the user's current session with the OIDC Provider, after which the user will be required to re-authenticate when logging into the CHT even if their session is still active. Set the `oidc_provider.max_age` setting to the allowable elapsed time in seconds since the last time the user was actively authenticated by the OIDC Provider. If the elapsed time is greater than this value, the user will be required to re-authenticate.

Setting `max_age: 0` will always require re-authenticating with the OIDC Provider when logging into the CHT.
Comment thread
mrjones-plip marked this conversation as resolved.

## Detailed Guides

For more detailed guides and requirements, see the following documents:

{{< cards >}}
{{< card link="../keycloak" title="KeyCloak" icon="key" >}}
{{< card link="../entra" title="Microsoft Entra" icon="lock-open" >}}
Expand Down
Loading