add optional logout URL step to self-hosted IdP setup guides

[TechHutTV]

Summary

Adds an optional step to the self-hosted Identity Provider setup guides showing how to register NetBird's logout callback URL (https://netbird.example.com/oauth2/logout/callback) so that signing out of NetBird redirects back cleanly through the IdP. The step is placed inline at the point where each guide configures the OIDC redirect URI, and names the correct field for each provider (the field label differs per IdP). Providers that don't expose a logout/sign-out redirect field get a short clarifying note instead of a step. advanced/* guides are intentionally untouched.

Description

What changed

Each guide gets the logout URL added as an optional in-flow step next to the existing redirect-URI step, using the same domain placeholder convention already used in that file (netbird.example.com, <NETBIRD_FQDN> for ADFS, <your-netbird-domain> for JumpCloud / Generic OIDC).

The logout URL is constant — …/oauth2/logout/callback — but where it goes differs per provider:

Provider	Field referenced
Keycloak	Valid post logout redirect URIs
Zitadel	Post Logout URIs
Auth0	Allowed Logout URLs
Okta	Sign-out redirect URIs
Pocket ID	Logout Callback URLs
JumpCloud	Post Logout Redirect URIs
Authentik	Redirect URIs/Origins (Authentik validates post-logout against the same allowlist — added as a second Strict entry)
Microsoft Entra ID	Added as an additional Web redirect URI (Entra validates post_logout_redirect_uri against registered redirect URIs)
ADFS	Included in the -RedirectUri array (same reason)
Generic OIDC	Optional block: register it if your provider exposes a post-logout/sign-out redirect URI

Providers without a logout field

Duo (generic OIDC relying party exposes only Sign-In Redirect URLs) and Google Workspace (OAuth 2.0 client has only Authorized redirect URIs) have no logout/sign-out redirect field. Rather than document a step against a field that doesn't exist, these two pages get a short <Note> stating no logout URL needs to be configured.

Note

The logout mechanism was inferred from the /oauth2/logout/callback path (treated as a post-logout redirect the IdP returns the browser to).

Files changed

12 files under src/pages/selfhosted/identity-providers/ (adfs, authentik, generic-oidc, keycloak, pocketid, zitadel, and managed/{auth0, duo, google-workspace, jumpcloud, microsoft-entra-id, okta}).

Summary by CodeRabbit

• Documentation
  • Updated identity provider configuration guides (ADFS, Authentik, Generic OIDC, Keycloak, Auth0, Duo, Google Workspace, JumpCloud, Microsoft Entra ID, Okta, PocketID, Zitadel) with optional instructions for configuring logout redirect URLs, enabling clean post-logout redirects back to NetBird.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 36b7137e-a057-48a8-8fd7-ae518be56aa7

📥 Commits

Reviewing files that changed from the base of the PR and between e49d920 and 0fdc2a7.

📒 Files selected for processing (12)

• src/pages/selfhosted/identity-providers/adfs.mdx
• src/pages/selfhosted/identity-providers/authentik.mdx
• src/pages/selfhosted/identity-providers/generic-oidc.mdx
• src/pages/selfhosted/identity-providers/keycloak.mdx
• src/pages/selfhosted/identity-providers/managed/auth0.mdx
• src/pages/selfhosted/identity-providers/managed/duo.mdx
• src/pages/selfhosted/identity-providers/managed/google-workspace.mdx
• src/pages/selfhosted/identity-providers/managed/jumpcloud.mdx
• src/pages/selfhosted/identity-providers/managed/microsoft-entra-id.mdx
• src/pages/selfhosted/identity-providers/managed/okta.mdx
• src/pages/selfhosted/identity-providers/pocketid.mdx
• src/pages/selfhosted/identity-providers/zitadel.mdx

---

📝 Walkthrough

Walkthrough

This pull request adds optional logout redirect URI configuration instructions to 12 identity provider setup guides. Self-hosted providers (ADFS, Authentik, Generic OIDC, Keycloak) and managed services (Auth0, Okta, Zitadel, etc.) receive instructions to register NetBird's logout callback URL. Duo and Google Workspace documentation clarifies these platforms lack logout redirect support.

Changes

Logout Redirect URI Configuration Guidance

Layer / File(s)	Summary
Self-hosted provider logout configuration src/pages/selfhosted/identity-providers/adfs.mdx, authentik.mdx, generic-oidc.mdx, keycloak.mdx	ADFS, Authentik, Generic OIDC, and Keycloak documentation updated with optional instructions to register NetBird's logout callback URL (/oauth2/logout/callback) as an additional redirect URI to enable clean post-logout redirects.
Managed provider logout configuration src/pages/selfhosted/identity-providers/managed/auth0.mdx, jumpcloud.mdx, microsoft-entra-id.mdx, okta.mdx, pocketid.mdx, zitadel.mdx	Auth0, JumpCloud, Microsoft Entra ID, Okta, PocketID, and Zitadel documentation updated with instructions to configure post-logout or sign-out redirect URIs pointing to NetBird's logout callback endpoint, including domain placeholder guidance.
Provider logout support clarifications src/pages/selfhosted/identity-providers/managed/duo.mdx, google-workspace.mdx	Duo and Google Workspace documentation clarified with notes explaining these providers do not support separate logout/sign-out redirect URI configuration due to their OIDC implementation limitations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• SunsetDrifter
• braginini

Poem

🐰 Across the providers, a logout trail appears,
From ADFS to Google, through all the tiers,
RedirectURIs whisper "come back home,"
No more lost in sign-out's unknown foam!
Clean redirects for all—except those two,
Who wave goodbye in their own OIDC view. 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding optional logout URL configuration steps across self-hosted IdP setup documentation guides.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/idp-logout-url

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

src/pages/selfhosted/identity-providers/adfs.mdx

Oops! Something went wrong! :(

ESLint: 9.39.4

TypeError: Converting circular structure to JSON
--> starting at object with constructor 'Object'
| property 'configs' -> object with constructor 'Object'
| property 'flat' -> object with constructor 'Object'
| ...
| property 'plugins' -> object with constructor 'Object'
--- property 'react' closes the circle
Referenced from:
at JSON.stringify ()
at file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:308:45
at Array.map ()
at ConfigValidator.formatErrors (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:299:23)
at ConfigValidator.validateConfigSchema (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:330:84)
at ConfigArrayFactory._normalizeConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:676:19)
at ConfigArrayFactory._loadConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:641:21)
at ConfigArrayFactory._loadExtendedShareableConfig (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:946:21)
at ConfigArrayFactory._loadExtends (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:814:25)
at ConfigArrayFactory._normalizeObjectConfigDataBody (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:752:25)

src/pages/selfhosted/identity-providers/authentik.mdx

Oops! Something went wrong! :(

ESLint: 9.39.4

TypeError: Converting circular structure to JSON
--> starting at object with constructor 'Object'
| property 'configs' -> object with constructor 'Object'
| property 'flat' -> object with constructor 'Object'
| ...
| property 'plugins' -> object with constructor 'Object'
--- property 'react' closes the circle
Referenced from:
at JSON.stringify ()
at file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:308:45
at Array.map ()
at ConfigValidator.formatErrors (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:299:23)
at ConfigValidator.validateConfigSchema (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:330:84)
at ConfigArrayFactory._normalizeConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:676:19)
at ConfigArrayFactory._loadConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:641:21)
at ConfigArrayFactory._loadExtendedShareableConfig (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:946:21)
at ConfigArrayFactory._loadExtends (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:814:25)
at ConfigArrayFactory._normalizeObjectConfigDataBody (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:752:25)

src/pages/selfhosted/identity-providers/generic-oidc.mdx

Oops! Something went wrong! :(

ESLint: 9.39.4

TypeError: Converting circular structure to JSON
--> starting at object with constructor 'Object'
| property 'configs' -> object with constructor 'Object'
| property 'flat' -> object with constructor 'Object'
| ...
| property 'plugins' -> object with constructor 'Object'
--- property 'react' closes the circle
Referenced from:
at JSON.stringify ()
at file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:308:45
at Array.map ()
at ConfigValidator.formatErrors (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:299:23)
at ConfigValidator.validateConfigSchema (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:330:84)
at ConfigArrayFactory._normalizeConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:676:19)
at ConfigArrayFactory._loadConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:641:21)
at ConfigArrayFactory._loadExtendedShareableConfig (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:946:21)
at ConfigArrayFactory._loadExtends (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:814:25)
at ConfigArrayFactory._normalizeObjectConfigDataBody (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:752:25)

• 9 others

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}