By: KEVIN KENNEDY user 14 Aug 2020 at 3:31 p.m. CDT

1 Response
Hello, We have SAML SLO setup in Gluu and our app as a Service Provider. When we attempt to logout, we successfully go through the flow of sending a logout request to the Gluu IDP, and it responds back to our SLS endpoint and in the end we are sent back to our home page. What happens then, is that it still shows the user as logged in. The Gluu side is saying that the session was removed. The SP side is logging that the session was invalidated as well. When we land on our home page, it sends a SAML Auth request over to the IDP and sees that there's still a session and sets the user as logged in (instead of bouncing them to the login page). If we attempt to go to the IDP, instead of the Gluu GUI, it sends us to the login page -- at least indicating that we may not be logged into oxAuth anymore. As long as the browser is open, the session still remains on the IDP side, and any refresh of the home page of our site when does the SAML auth request and it still appears to be logged in. Only closing the browser completely removes this (after doing one of the logout methods below, or the SAML logout). If we attempt to use "https://<ourdomain>/oxauth/restv1/end_session" to log out it instead of the SLO flow, it says: `{"reason":"Session was removed successfully but post_logout_redirect_uri validation fails since AS failed to validate it against clients associated with session (which was just removed).","error_description":"The provided post logout uri is not associated with client.","error":"post_logout_uri_not_associated_with_client"}` After using this, we can still refresh the home page and appear to still be logged in. If we attempt to use "https://<ourdomain>/idp/Authn/oxAuth/logout" to log out, it does not work because we can't identify the session on the IDP side: `{"reason":"Failed to identify session by session_id query parameter or by session_id cookie.","error_description":"The provided id token (or access token) or session state are invalid or were issued to another client.","error":"invalid_grant_and_session"}` After using this, we can still refresh the home page and appear to still be logged in. It doesn't work without the session_id query param. * Is there another endpoint we can try to force logout? * Is there something that would maintain the session even though it was supposed to be destroyed by the "end_session" endpoint? * Alternatively, is there a way to get the session_id necessary to use the "logout" endpoint above and identify the session that appears to still be active?

By Mohib Zico staff 19 Aug 2020 at 1:38 a.m. CDT

Mohib Zico gravatar
Hi, We should concentrate on using `https://<ourdomain>/idp/Authn/oxAuth/logout` as SAML SLO. Let's do next: - Use above link and run logout, record the screencast and share with us. - Make shibboleth logs DEBUG, record that log ( idp-process.log ) and share that as well. We will see what's happening where.