From 24343647b1b836e297c4954b16fc7db930cb1a4c Mon Sep 17 00:00:00 2001
From: Yassine Bounekhla <yassine@goteleport.com>
Date: Fri, 21 Jun 2024 15:10:48 -0400
Subject: [PATCH] add comment

---
 lib/web/apiserver.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
index 71fd9f17e436b..ec04358bb25ec 100644
--- a/lib/web/apiserver.go
+++ b/lib/web/apiserver.go
@@ -2193,6 +2193,9 @@ func (h *Handler) deleteWebSession(w http.ResponseWriter, r *http.Request, _ htt
 
 	// If the user has SAML SLO (single logout) configured, return a redirect link to the SLO URL.
 	if user != nil && len(user.GetSAMLIdentities()) > 0 && user.GetSAMLIdentities()[0].SAMLSingleLogoutURL != "" {
+		// The WebUI will redirect the user to this URL to initiate the SAML SLO on the IdP side. This is safe because this URL
+		// is hard-coded in the auth connector and can't be modified by the end user. Additionally, the user's Teleport session has already
+		// been invalidated by this point so there is nothing to hijack.
 		return map[string]interface{}{"samlSloUrl": user.GetSAMLIdentities()[0].SAMLSingleLogoutURL}, nil
 	}