Logout and session management doc (#3148)

a doc about session management and logging out.

astro/src/content/docs/_shared/_authentication_type_claim_values.mdx

@@ -14,7 +14,7 @@
 * `OPENID_CONNECT` - The User was authenticated using an external OpenID Connect provider. <span class="text-green-500">Available since 1.1.0</span>
 * `PASSWORD` - The User was authenticated using a loginId and password combination.
 * `PASSWORDLESS` - The user was authenticated using a passwordless login link. &nbsp; <span class="text-green-500">Available since 1.5.0</span>
-* `PING` - The user was authenticated using a `PUT` request on the Login API. This is used to record a login event without prompting for credentials.
+* `PING` - The user was authenticated using a `PUT` request on the Login API. This is used to record a login event without prompting for credentials, such as when the FusionAuth SSO session is used.
 * `REFRESH_TOKEN` - The User requested a new JWT using a Refresh Token.
 * `REGISTRATION` - The user was created using the Registration API.  &nbsp; <span class="text-green-500">Available since 1.16.0</span>
 * `SAMLv2` - The User was authenticated using an external SAMLv2 provider. <span class="text-green-500">Available since 1.6.0</span>

astro/src/content/docs/apis/jwt.mdx

@@ -205,6 +205,8 @@ This API has been available since 1.8.0
 
 ## Refresh a JWT
 
+This can be used to extend a centrally managed session when a refresh token represents a user session. [Learn more about using refresh tokens to model sessions](/docs/lifecycle/authenticate-users/logout-session-management).
+
 ### Request
 
 <API method="POST" uri="/api/jwt/refresh" authentication={["none"]} title="Request a new Access Token by presenting a valid Refresh Token."/>
@@ -287,6 +289,8 @@ Cookie: refresh_token=xRxGGEpVawiUak6He367W3oeOfh+3irw+1G1h1jc; access_token=eyJ
 
 ## Retrieve Refresh Tokens
 
+This can be used to examine a centrally managed session when the refresh token represents a user session. [Learn more about using refresh tokens to model sessions](/docs/lifecycle/authenticate-users/logout-session-management).
+
 ### Request
 
 <API method="GET" uri="/api/jwt/refresh/{tokenId}" authentication={["api-key"]} title="Retrieve a Single Refresh Token"/>
@@ -327,6 +331,8 @@ Cookie: refresh_token=xRxGGEpVawiUak6He367W3oeOfh+3irw+1G1h1jc; access_token=eyJ
 
 ## Revoke Refresh Tokens
 
+This can be used to revoke a centrally managed session, when the refresh token is being used to model a session. [Learn more about using refresh tokens to model sessions](/docs/lifecycle/authenticate-users/logout-session-management).
+
 ### Request
 
 <API method="DELETE" uri="/api/jwt/refresh?applicationId={applicationId}" authentication={["api-key"]} title="Revoke all Refresh Tokens for an entire Application"/>

astro/src/content/docs/apis/login.mdx

@@ -349,7 +349,9 @@ _Response Codes_
 The Logout API is intended to be used to remove the refresh token and access token cookies if they exist on the client and revoke the refresh token. This
 API does nothing if the request does not contain an access token or refresh token cookies.
 
-The refresh token is only revoked if the request contains the `refresh_token` cookie or the `refreshToken` request parameter.
+The refresh token is only revoked if the request contains the `refresh_token` cookie or the `refreshToken` request parameter. 
+
+This does not revoke the FusionAuth SSO session. Use [`/oauth2/logout`](/docs/lifecycle/authenticate-users/oauth/endpoints#logout) to do so.
 
 ### Request
 

astro/src/content/docs/get-started/core-concepts/users.mdx

@@ -498,7 +498,7 @@ Learn more about [Family API with Consents](/blog/2023/06/13/modeling-family-and
 
 ### Sessions
 
-Users have sessions in FusionAuth. Sessions are equivalent to refresh tokens. Their lifetime is controlled by the tenant or application refresh token settings.
+Users have sessions in FusionAuth. Sessions are represented by refresh tokens. Their lifetime is controlled by the tenant or application refresh token settings.
 
 These appear in the administrative user interface under the <strong>Sessions</strong> tab (you may need to scroll if your screen is small):
 
@@ -512,27 +512,7 @@ There are two primary types of sessions/tokens shown in this table:
 With <InlineUIElement>Delete all sessions</InlineUIElement> button, you can revoke all sessions for a user.
 This is useful if you want to force a user to log in again.
 
-#### Session Details
-
-A session can be created by using the Login API, as long as <InlineField>[Generate refresh tokens](/docs/get-started/core-concepts/applications#security)</InlineField> is enabled, or by completing the [OAuth Authorization Code grant](/docs/lifecycle/authenticate-users/oauth/#example-authorization-code-grant) when the `offline_access` scope is requested.
-
-A session will end when:
-
-* It expires.
-* It is deleted using the [JWT APIs](/docs/apis/jwt#revoke-refresh-tokens).
-* Optionally, as a result of a user changing their password or having their account locked.
-
-These can be configured in the [Tenant Refresh Token settings](/docs/get-started/core-concepts/tenants#jwt) or the [Application Refresh Token settings](/docs/get-started/core-concepts/applications#jwt).
-
-An SSO session will end if you log out of SSO.
-
-<Aside type="note">
-Normal sessions are not ended, nor are associated refresh tokens revoked, by [front channel logout](/docs/lifecycle/authenticate-users/oauth/endpoints#logout).
-</Aside>
-
-When a session is no longer valid, the associated refresh token can't be used to create new JWTs.
-
-The JWTs themselves are valid until they expire.
+[Learn more about sessions and logging out](/docs/lifecycle/authenticate-users/logout-session-management).
 
 #### Table Columns
 

astro/src/content/docs/lifecycle/authenticate-users/_sessions-expiration.mdx

@@ -0,0 +1,18 @@
+import Breadcrumb from 'src/components/Breadcrumb.astro';
+import InlineField from 'src/components/InlineField.astro';
+
+The single sign-on session duration can be configured at the Tenant level. Navigate to <Breadcrumb>Tenant -> Your Tenant -> OAuth</Breadcrumb> and edit the <InlineField>Session timeout</InlineField> value. Because this value is shared between applications, it can't be overridden in application configuration.
+
+<img src="/img/docs/lifecycle/authenticate-users/tenant-single-sign-on-session-timeout.png" alt="Configuring the single sign-on session length." width="1200" role="bottom-cropped" />
+
+The length of a single sign-on session can be different from the session length for individual applications. When a request to an application occurs, there are four possible scenarios:
+
+*Single sign-on session scenarios*
+
+| Application Session | FusionAuth Session | Result                                                                                                                                                                                            |
+|---------------------|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| valid               | valid              | Application serves request.                                                                                                                                                                       |
+| valid               | expired            | Application serves request.                                                                                                                                                                       |
+| expired             | valid              | Application redirects to FusionAuth, which redirects back to the application. The application then adds the user to the session and serves the request.                                           |
+| expired             | expired            | The user must authenticate with FusionAuth. On successful authentication, FusionAuth redirects back to the application. The application then adds the user to the session and serves the request. |
+