I have successfully implement OneLogin OpenId Connect SSO and I think it works great with one caviat.
If user open new tab in the same browser and navigates to the app, user will be "auto" logged in because browser has the One Login cookie (correct me on this)
If the user restarts the browser and goes to the http://localhost/testApp, user is required to login yet again...I believe this is due to one login cookies are being deleted when browser closes (new browser session).
Digging deaper, I can achieve functionality I am looking for if I manually modify Expires/Max-Age to be desired date in the future instead of "Session" on sub_session_onelogin.com cookie
Is there way to configure expiration of One Login cookies for OpenId flow? I would like user to stay logged in until preset expiration/timeout or explicit Log Out, how can I achieve this?
If you need the cookies to last longer, you can control this via the user policies in the OneLogin admin.
Since the cookie lifespan controls (to a certain extent) how long the SSO session lasts, it's pretty fundamental to the users' security posture and is under the control of the users' policy.