From 88d22c68a024c55013ad9c347531a4d30043a3bf Mon Sep 17 00:00:00 2001
From: Yassine Bounekhla <56373201+rudream@users.noreply.github.com>
Date: Wed, 24 Jul 2024 15:58:44 -0400
Subject: [PATCH] [v15] [Docs] Add SAML Single Logout instructions to docs
 (#44570)

* add saml slo instructions to docs

* CR
---
 docs/pages/access-controls/sso.mdx     | 6 ++++--
 docs/pages/includes/sso/saml-slo.mdx   | 9 +++++++++
 examples/resources/saml-connector.yaml | 3 +++
 3 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 docs/pages/includes/sso/saml-slo.mdx

diff --git a/docs/pages/access-controls/sso.mdx b/docs/pages/access-controls/sso.mdx
index d58f5cea38414..1eb2efea3546e 100644
--- a/docs/pages/access-controls/sso.mdx
+++ b/docs/pages/access-controls/sso.mdx
@@ -256,7 +256,6 @@ create a `cluster_auth_preference` resource.
       type: saml|oidc|github
   ```
 
-  (!docs/pages/includes/sso/idp-initiated.mdx!)
   </TabItem>
   <TabItem scope={["cloud","team"]} label="Dynamic Resources (All Editions)">
   Create a file called `cap.yaml`:
@@ -278,7 +277,6 @@ create a `cluster_auth_preference` resource.
   $ tctl create -f cap.yaml
   ```
 
-  (!docs/pages/includes/sso/idp-initiated.mdx!)
   </TabItem>
 </Tabs>
 
@@ -294,6 +292,8 @@ based on one of the following examples.
 
 (!docs/pages/includes/sso/idp-initiated.mdx!)
 
+(!docs/pages/includes/sso/saml-slo.mdx!)
+
 </TabItem>
 <TabItem label="OneLogin">
 
@@ -331,6 +331,8 @@ based on one of the following examples.
 
 (!docs/pages/includes/sso/idp-initiated.mdx!)
 
+(!docs/pages/includes/sso/saml-slo.mdx!)
+
 </TabItem>
 <TabItem label="GitHub">
 
diff --git a/docs/pages/includes/sso/saml-slo.mdx b/docs/pages/includes/sso/saml-slo.mdx
new file mode 100644
index 0000000000000..cf80b1ce9da51
--- /dev/null
+++ b/docs/pages/includes/sso/saml-slo.mdx
@@ -0,0 +1,9 @@
+<Details title="SAML Single Logout">
+    Setting the `spec.single_logout_url` endpoint in SAML connectors enables SAML SLO (Single Logout).
+    If enabled, upon logging out of Teleport, users will also be logged out of the SAML provider session, which 
+    may also log them out of any other non-Teleport applications which they are currently logged into using the same SAML provider.
+
+    For optimal user experience, we recommend keeping this disabled unless necessary.
+
+    Refer to your SAML provider's documentation for instructions on where to obtain this URL.
+</Details>
\ No newline at end of file
diff --git a/examples/resources/saml-connector.yaml b/examples/resources/saml-connector.yaml
index b4ddc8415bb4a..43e94f227004a 100644
--- a/examples/resources/saml-connector.yaml
+++ b/examples/resources/saml-connector.yaml
@@ -28,4 +28,7 @@ spec:
     - access
   # Provides a path to the IdP metadata.
   entity_descriptor_url: https://example.okta.com/app/your-app-id/sso/saml/metadata
+  # Optional SAML Single Logout endpoint. If set, logging out of Teleport
+  # will also log the user out of the SAML provider session.
+  single_logout_url: https://example.okta.com/app/your-app-id/slo/saml
   
\ No newline at end of file