Auth: Add a feature toggle to roll out SAML session improvements (#98750)

Add separate feature toggle to roll out SAML-related external session improvements

docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md

@@ -93,7 +93,7 @@ Most [generally available](https://grafana.com/docs/release-life-cycle/#general-
 [Public preview](https://grafana.com/docs/release-life-cycle/#public-preview) features are supported by our Support teams, but might be limited to enablement, configuration, and some troubleshooting.
 
 | Feature toggle name                   | Description                                                                                                                                                                                  |
-| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `panelTitleSearch`                    | Search for dashboards using panel title                                                                                                                                                      |
 | `autoMigrateOldPanels`                | Migrate old angular panels to supported versions (graph, table-old, worldmap, etc)                                                                                                           |
 | `autoMigrateGraphPanel`               | Migrate old graph panel to supported time series panel - broken out from autoMigrateOldPanels to enable granular tracking                                                                    |
@@ -120,8 +120,9 @@ Most [generally available](https://grafana.com/docs/release-life-cycle/#general-
 | `ssoSettingsSAML`                     | Use the new SSO Settings API to configure the SAML connector                                                                                                                                 |
 | `azureMonitorPrometheusExemplars`     | Allows configuration of Azure Monitor as a data source that can provide Prometheus exemplars                                                                                                 |
 | `ssoSettingsLDAP`                     | Use the new SSO Settings API to configure LDAP                                                                                                                                               |
-| `improvedExternalSessionHandling` | Enable improved support for OAuth and SAML external sessions in Grafana                                                                                                                      |
+| `improvedExternalSessionHandling`     | Enables improved support for OAuth external sessions. After enabling this feature, users might need to re-authenticate themselves.                                                           |
 | `elasticsearchCrossClusterSearch`     | Enables cross cluster search in the Elasticsearch datasource                                                                                                                                 |
+| `improvedExternalSessionHandlingSAML` | Enables improved support for SAML external sessions. Ensure the NameID format is correctly configured in Grafana for SAML Single Logout to function properly.                                |
 
 ## Experimental feature toggles
 

packages/grafana-data/src/types/featureToggles.gen.ts

@@ -249,4 +249,5 @@ export interface FeatureToggles {
   investigationsBackend?: boolean;
   k8SFolderCounts?: boolean;
   k8SFolderMove?: boolean;
+  improvedExternalSessionHandlingSAML?: boolean;
 }

pkg/services/featuremgmt/registry.go

@@ -1489,7 +1489,7 @@ var (
 		},
 		{
 			Name:        "improvedExternalSessionHandling",
-			Description: "Enable improved support for OAuth and SAML external sessions in Grafana",
+			Description: "Enables improved support for OAuth external sessions. After enabling this feature, users might need to re-authenticate themselves.",
 			Stage:       FeatureStagePublicPreview,
 			Owner:       identityAccessTeam,
 		},
@@ -1723,6 +1723,12 @@ var (
 			Owner:       grafanaSearchAndStorageSquad,
 			Expression:  "false",
 		},
+		{
+			Name:        "improvedExternalSessionHandlingSAML",
+			Description: "Enables improved support for SAML external sessions. Ensure the NameID format is correctly configured in Grafana for SAML Single Logout to function properly.",
+			Stage:       FeatureStagePublicPreview,
+			Owner:       identityAccessTeam,
+		},
 	}
 )
 

pkg/services/featuremgmt/toggles_gen.csv

@@ -230,3 +230,4 @@ lokiLabelNamesQueryApi,GA,@grafana/observability-logs,false,false,false
 investigationsBackend,experimental,@grafana/grafana-app-platform-squad,false,false,false
 k8SFolderCounts,experimental,@grafana/search-and-storage,false,false,false
 k8SFolderMove,experimental,@grafana/search-and-storage,false,false,false
+improvedExternalSessionHandlingSAML,preview,@grafana/identity-access-team,false,false,false

pkg/services/featuremgmt/toggles_gen.go

@@ -796,7 +796,7 @@ const (
 	FlagAlertingQueryAndExpressionsStepMode = "alertingQueryAndExpressionsStepMode"
 
 	// FlagImprovedExternalSessionHandling
-	// Enable improved support for OAuth and SAML external sessions in Grafana
+	// Enables improved support for OAuth external sessions. After enabling this feature, users might need to re-authenticate themselves.
 	FlagImprovedExternalSessionHandling = "improvedExternalSessionHandling"
 
 	// FlagUseSessionStorageForRedirection
@@ -930,4 +930,8 @@ const (
 	// FlagK8SFolderMove
 	// Enable folder's api server move
 	FlagK8SFolderMove = "k8SFolderMove"
+
+	// FlagImprovedExternalSessionHandlingSAML
+	// Enables improved support for SAML external sessions. Ensure the NameID format is correctly configured in Grafana for SAML Single Logout to function properly.
+	FlagImprovedExternalSessionHandlingSAML = "improvedExternalSessionHandlingSAML"
 )

pkg/services/featuremgmt/toggles_gen.json

@@ -1803,14 +1803,29 @@
     {
       "metadata": {
         "name": "improvedExternalSessionHandling",
-        "resourceVersion": "1736255708514",
+        "resourceVersion": "1736440595516",
         "creationTimestamp": "2024-09-17T10:54:39Z",
         "annotations": {
-          "grafana.app/updatedTimestamp": "2025-01-07 13:15:08.514525 +0000 UTC"
+          "grafana.app/updatedTimestamp": "2025-01-09 16:36:35.516462 +0000 UTC"
         }
       },
       "spec": {
-        "description": "Enable improved support for OAuth and SAML external sessions in Grafana",
+        "description": "Enables improved support for OAuth external sessions. After enabling this feature, users might need to re-authenticate themselves.",
+        "stage": "preview",
+        "codeowner": "@grafana/identity-access-team"
+      }
+    },
+    {
+      "metadata": {
+        "name": "improvedExternalSessionHandlingSAML",
+        "resourceVersion": "1736440619329",
+        "creationTimestamp": "2025-01-09T16:33:07Z",
+        "annotations": {
+          "grafana.app/updatedTimestamp": "2025-01-09 16:36:59.329967 +0000 UTC"
+        }
+      },
+      "spec": {
+        "description": "Enables improved support for SAML external sessions. Ensure the NameID format is correctly configured in Grafana for SAML Single Logout to function properly.",
         "stage": "preview",
         "codeowner": "@grafana/identity-access-team"
       }