SSO Session
Until now, we have been prompted with a login dialog each time we issued a kc token ... command.
On the Kubauth login page, there is a "Remember me" checkbox:
When checked, a session cookie is set, and subsequent login attempts will proceed automatically using the same user credentials.
You can verify this by launching several kc token ... commands.
The session cookie is associated only with the login page and is independent of the client application. This enables cross-application Single Sign-On (SSO).
Logout
What if you want to log in with different user credentials?
You must first log out. This can be accomplished with another kc subcommand:
No OIDC configuration found in kubeconfig
Opening browser to logout endpoint: https://kubauth.mycluster.mycompany.com/oauth2/logout
Disregard the first message about kubeconfig. This will be explained later in the Kubernetes integration section.
As indicated, a browser should open to call the logout URL.
Session Storage
Sessions are persisted as Kubernetes resources:
NAME LOGIN NAME DEADLINE AGE
h-6d4d8f33c407a727857ba335d257a04d6d0116c40fa81c26903bb9469139563c john John DOE 2025-10-28T00:19:44Z 34s
h-d13bc676b003a200aca5051558b2cd21eccb44f557bee058df00aa3eb6d2bd22 jim 2025-10-28T00:19:13Z 65s
Manually deleting a session resource is an alternative method to terminate a session.
Configuration
SSO configuration can be modified using Helm chart values:
values.yaml
sessionNamespace: Specifies the namespace where SSO sessions are persisted, and enables its creation during Kubauth deployment.lifeTime: Sets the session duration. This is an absolute duration with no idle timeout.sticky: When true, the session cookie is persistent. When false, the session expires when the browser is closed.