I’m using wordpress Auth0 plugin on school website.
Using enterprise connection, with G Suite accounts.
Login works fine.
When I log out from the site, I’d like users to be logged out also from their Google account.
I’m not a programmer, I’ve tried to look and try many settings (both the wordpress plugin settings, and some in the Auth0 Dashboard), but with no result
Can I achieve this? If so, where do I have to put hands on?
It is a matter of security on school shared computers: if a teacher logs in via school website and logs out once finished, who comes after that teacher can access his google account simply opening a google.com webpage…
Hi @daniele.debiagi. Logging the user out of the upstream identity provider (like G Suite) when logging out of Auth0 is what the Auth0 docs refer as “federated logout” (see Logout).
Unfortunately, it’s not possible at the moment to request a federated logout from the WP plugin. It was actually the default behavior a few versions back, but it was changed because:
federated logout does not work with every type of connection
it’s not the most common choice, as most users prefer not to be logged out of their idp (although I understand your specific situation of a school website).
I’d suggest that you describe this use case in Issues · auth0/wordpress · GitHub to open up the discussion. Keep in mind that even if enabling this “federated” logout is possible, it could also bring a false sense of security: if a teacher forgets to log out, the session still persists. So, ultimately, this doesn’t replace giving training and advice on proper security practices, like opening an incognito window (and making sure you close all of them when you are done!) when using a shared computer.
thank you @nicolas_sabena
I read about the federated logout, and you answered exactly to my question: it is not possible
I agree with you that security issues are on charge mainly to the user behavior
but, on the other side, in my case it is the actual behavior of the plugin that may give a false sense of security: if a user opens my school website, logs in, uses the site (without opening tabs or services directly referring to G Suite), and after that logs out, he intuitively doesn’t think that a live session of G Suite keeps alive on that pc
so I’d like to set a first layer of security for the login path that is both simple and effective; after that, users must learn secure ways to deal with their accounts
thank you so much for your reply; I’ll follow your suggestion to open a discussion on github