feat(embedded): add feature flag to disable logout button in embedded contexts

docs/docs/configuration/networking-settings.mdx

@@ -96,6 +96,22 @@ To enable this entry, add the following line to the `.env` file:
 SUPERSET_FEATURE_EMBEDDED_SUPERSET=true
 ```
 
+### Hiding the Logout Button in Embedded Contexts
+
+When Superset is embedded in an application that manages authentication via SSO (OAuth2, SAML, or JWT), the logout button should be hidden since session management is handled by the parent application.
+
+To hide the logout button, add to `superset_config.py`:
+
+```python
+FEATURE_FLAGS = {
+    "DISABLE_EMBEDDED_SUPERSET_LOGOUT": True,
+}
+```
+
+:::note
+When embedding with SSO, also set `SESSION_COOKIE_SAMESITE = 'None'` and `SESSION_COOKIE_SECURE = True`. See [Security documentation](/docs/security/securing_superset) for details.
+:::
+
 ## CSRF settings
 
 Similarly, [flask-wtf](https://flask-wtf.readthedocs.io/en/0.15.x/config/) is used to manage

docs/static/feature-flags.json

@@ -248,6 +248,14 @@
         "description": "Data panel closed by default in chart builder",
         "category": "runtime_config"
       },
+      {
+        "name": "DISABLE_EMBEDDED_SUPERSET_LOGOUT",
+        "default": false,
+        "lifecycle": "stable",
+        "description": "Hide the logout button in embedded contexts (e.g., when using SSO in iframes)",
+        "docs": "https://superset.apache.org/docs/configuration/networking-settings#hiding-the-logout-button-in-embedded-contexts",
+        "category": "runtime_config"
+      },
       {
         "name": "DRILL_BY",
         "default": true,

superset-frontend/packages/superset-ui-core/src/utils/featureFlags.ts

@@ -37,6 +37,7 @@ export enum FeatureFlag {
   DashboardRbac = 'DASHBOARD_RBAC',
   DatapanelClosedByDefault = 'DATAPANEL_CLOSED_BY_DEFAULT',
   DateRangeTimeshiftsEnabled = 'DATE_RANGE_TIMESHIFTS_ENABLED',
+  DisableEmbeddedSupersetLogout = 'DISABLE_EMBEDDED_SUPERSET_LOGOUT',
   /** @deprecated */
   DrillToDetail = 'DRILL_TO_DETAIL',
   DrillBy = 'DRILL_BY',

superset-frontend/src/features/home/RightMenu.test.tsx

@@ -24,9 +24,19 @@ import {
   userEvent,
   waitFor,
 } from 'spec/helpers/testing-library';
+import { isFeatureEnabled, FeatureFlag } from '@superset-ui/core';
 import RightMenu from './RightMenu';
 import { GlobalMenuDataOptions, RightMenuProps } from './types';
 
+jest.mock('@superset-ui/core', () => ({
+  ...jest.requireActual('@superset-ui/core'),
+  isFeatureEnabled: jest.fn(),
+}));
+
+const mockIsFeatureEnabled = isFeatureEnabled as jest.MockedFunction<
+  typeof isFeatureEnabled
+>;
+
 jest.mock('react-redux', () => ({
   ...jest.requireActual('react-redux'),
   useSelector: jest.fn(),
@@ -155,6 +165,7 @@ const mockNonExamplesDB = Array.from({ length: 2 })
 const useSelectorMock = jest.spyOn(reactRedux, 'useSelector');
 
 beforeEach(async () => {
+  mockIsFeatureEnabled.mockReturnValue(false);
   useSelectorMock.mockReset();
   fetchMock.get(
     'glob:*api/v1/database/?q=(filters:!((col:allow_file_upload,opr:upload_is_enabled,value:!t)))',
@@ -398,3 +409,31 @@ test('Logs out and clears local storage item redux', async () => {
     expect(sessionStorage.getItem('login_attempted')).toBeNull();
   });
 });
+
+test('shows logout button when DISABLE_EMBEDDED_SUPERSET_LOGOUT is false', async () => {
+  mockIsFeatureEnabled.mockReturnValue(false);
+  resetUseSelectorMock();
+  render(<RightMenu {...createProps()} />, {
+    useRedux: true,
+    useQueryParams: true,
+    useTheme: true,
+  });
+
+  userEvent.hover(await screen.findByText(/Settings/i));
+  expect(await screen.findByText('Logout')).toBeInTheDocument();
+});
+
+test('hides logout button when DISABLE_EMBEDDED_SUPERSET_LOGOUT is true', async () => {
+  mockIsFeatureEnabled.mockImplementation(
+    (flag: FeatureFlag) => flag === FeatureFlag.DisableEmbeddedSupersetLogout,
+  );
+  resetUseSelectorMock();
+  render(<RightMenu {...createProps()} />, {
+    useRedux: true,
+    useQueryParams: true,
+    useTheme: true,
+  });
+
+  userEvent.hover(await screen.findByText(/Settings/i));
+  expect(screen.queryByText('Logout')).not.toBeInTheDocument();
+});

superset-frontend/src/features/home/RightMenu.tsx

@@ -23,7 +23,12 @@ import { Link } from 'react-router-dom';
 import { useQueryParams, BooleanParam } from 'use-query-params';
 import { isEmpty } from 'lodash';
 import { t } from '@apache-superset/core';
-import { SupersetClient, getExtensionsRegistry } from '@superset-ui/core';
+import {
+  SupersetClient,
+  getExtensionsRegistry,
+  isFeatureEnabled,
+  FeatureFlag,
+} from '@superset-ui/core';
 import { styled, css, SupersetTheme, useTheme } from '@apache-superset/core/ui';
 import {
   Tag,
@@ -489,15 +494,19 @@ const RightMenu = ({
             ),
           });
         }
-        userItems.push({
-          key: 'logout',
-          label: (
-            <Typography.Link href={navbarRight.user_logout_url}>
-              {t('Logout')}
-            </Typography.Link>
-          ),
-          onClick: handleLogout,
-        });
+        if (!isFeatureEnabled(FeatureFlag.DisableEmbeddedSupersetLogout)) {
+          userItems.push({
+            key: 'logout',
+            label: (
+              <Typography.Link
+                href={ensureAppRoot(navbarRight.user_logout_url)}
+              >
+                {t('Logout')}
+              </Typography.Link>
+            ),
+            onClick: handleLogout,
+          });
+        }
 
         items.push({
           type: 'group',

superset/config.py

@@ -741,6 +741,11 @@ class D3TimeFormat(TypedDict, total=False):
     # @lifecycle: stable
     # @category: runtime_config
     "MENU_HIDE_USER_INFO": False,
+    # Hide the logout button in embedded contexts (e.g., when using SSO in iframes)
+    # @lifecycle: stable
+    # @category: runtime_config
+    # @docs: https://superset.apache.org/docs/configuration/networking-settings#hiding-the-logout-button-in-embedded-contexts
+    "DISABLE_EMBEDDED_SUPERSET_LOGOUT": False,
     # Use Slack avatars for users. Requires adding slack-edge.com to TALISMAN_CONFIG.
     # @lifecycle: stable
     # @category: runtime_config