Hi @Kenyuri - Thanks for posting your question!
The short of it is that we’re going to use work-arounds in the immediate term. Longer term there’s maybe some other options we could think of or add to the CHT
In response to your questions:
Does CHT currently support RP‑initiated logout (e.g. calling the IdP
end_session_endpoint) when a user logs out of CHT?
Unfortunately not - the CHT only supports it’s own session cookie being expired which does not affect the OIDC provider’s session. The technical section of the SSO docs cover this as a known limitation (“Back-channel logout is not supported”)
If not, are there any recommended configurations or workarounds for shared Android devices to prevent reuse of the previous user’s IdP session?
The best work around I can think of is to instruct user A to go to the OIDC provider page/app and log out in addition to logging out of the CHT. This will ensure when user B clicks log in, the OIDC provider will force them to login before proceeding.
Additionally, are you still running a shorter default session duration of 8 hours? If this is configured on both the CHT and the Identity Provider, it should offer another level of protection against this scenario.
Can CHT be configured to: Force re‑authentication on each SSO login (e.g. using
prompt=login,max_age=0)
The CHT doesn’t offer this configuration either, sorry.
cc @sugat or @jkuester in case there’s anything I’m missing.