SAML Logout Issue

By: Markus Thielen user 03 Sep 2016 at 7:56 a.m. CDT

10 Responses
Markus Thielen gravatar
Hi there, I have a simple scenario with SAMLv2 and gluu server as IDP. When I'm doing a logout from my SP and redirect to <gluu>/idp/logout.jsp to destroy the SSO-Session it redirects me to > https://.../oxauth/seam/resource/restv1/oxauth/end_session?id_token_hint=b114408c-fbf3-42a4-a405-0ea719c80c1a&post_logout_redirect_uri=https%3A%2F%2F...%2Fidentity%2Fauthentication%2Ffinishlogout And shows me an error in the browser: > { "error": "invalid_grant", "error_description": "The provided access token is invalid, or was issued to another client." } The wrapper.log on the server says: > INFO | jvm 1 | 2016/09/03 12:30:24 | 2016-09-03 12:30:24,857 INFO [xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl] Failed to find out authorization grant for id_token_hint 'b114408c-fbf3-42a4-a405-0ea719c80c1a' And I'm not logged off. Any idea what that could mean? Is it enough to just redirect to <gluu>/idp/logout.jsp? Or is there anything else I have to consider? Thank you so much. Markus
U1404
closed

Answers

By Michael Schwartz Account Admin 03 Sep 2016 at 9:20 a.m. CDT

Copy
Michael Schwartz gravatar
Yes, we have a patch for logout. It seems like the logout jsp was using the wrong token (access v. id_token). We'll post instructions on how to patch it here.

By Markus Thielen user 03 Sep 2016 at 9:28 a.m. CDT

Copy
Markus Thielen gravatar
Awesome! Thank you!

By Yuriy Movchan staff 05 Sep 2016 at 11:47 a.m. CDT

Copy
Yuriy Movchan gravatar
Hi Markus, Can you try CE 2.4.4 SP1 war files? Here is update instruction: 1. Download: http://ox.gluu.org/maven/org/xdi/oxauth-server/2.4.4.sp1/oxauth-server-2.4.4.sp1.war as oxauth.war 2. Download if needed: http://ox.gluu.org/maven/org/xdi/oxtrust-server/2.4.4.sp1/oxtrust-server-2.4.4.sp1.war identity.war 3. Download if needed: http://ox.gluu.org/maven/org/xdi/oxidp/2.4.4.sp1/oxidp-2.4.4.sp1.war as idp.war 4. Stop tomcat. 5. Remove exploded folders from: /opt/tomcat/webapps 6. Backup existing war files which we are going to replace. 7. Put new war files into /opt/tomcat/webapps and idp.war into /opt/idp/war if needed. 8. Start tomcat.

By Yuriy Movchan staff 05 Sep 2016 at 11:50 a.m. CDT

Copy
Yuriy Movchan gravatar
Also it's possible to customize post logout URI now. It's needed only if want to redirect to custom page after calling IDP logout: https://idp.server/idp/logout.jsp In this case we need to open in LDAP browser entry: dn: ou=oxidp,ou=configuration,inum=%(inumAppliance)s,ou=appliances,o=gluu And add: ,"openIdPostLogoutRedirectUri": "https://%(hostname)s/identity/authentication/finishlogout" before end of "}". Also it's possible to replace "https://%(hostname)s/identity/authentication/finishlogout" with any required URL.

By Markus Thielen user 05 Sep 2016 at 12:15 p.m. CDT

Copy
Markus Thielen gravatar
Looks good so far. Also great news with customizing post logout uri. Just what I have been looking for. Thank you so much.

By Gene Liverman user 01 Oct 2016 at 8:48 p.m. CDT

Copy
Gene Liverman gravatar
Is this fix being released via the repos or are the instructions above the only fix?

By Michael Schwartz Account Admin 02 Oct 2016 at 10:55 a.m. CDT

Copy
Michael Schwartz gravatar
We are releasing a patch for 2.4.4 and also it will be included in the next release 2.4.5

By Gene Liverman user 03 Oct 2016 at 10:26 a.m. CDT

Copy
Gene Liverman gravatar
Thanks Michael. Is there a time line associated with those releases yet?

By Michael Schwartz Account Admin 03 Oct 2016 at 8:02 p.m. CDT

Copy
Michael Schwartz gravatar
We're still QA-ing these patches. But if you're on Ubuntu 14.x or Centos 6.x, it's ready: [https://gluu.org/docs/deployment/updating/](https://gluu.org/docs/deployment/updating/)

By Gene Liverman user 05 Oct 2016 at 2:39 p.m. CDT

Copy
Gene Liverman gravatar
Thanks. I am actually on CentOS 7

Post an answer