9

I am using Spring SAML implementation. SSO circle metadata xml was having logout endpoint which helps in local logout and global logout. But there are some other IDP's which I am interacting with and are not having logout endpoints in their metadata xml.

How should LOGOUT be handled in these scenarios?

Is deleting cookies of the request the only solution of this problem or is there any workaround for this scenario?

Your help in this regard is much appreciated.

SM KUMAR
  • 475
  • 2
  • 8
  • 13
  • In my case sp has acs and logout(both POST) and when i click a link (to sp logout) i get 404... Sso i am doing as idp flow(unsolicited samlresponse to sp acs)... but not able to figure out how to call sp logout... In kentor all samples logout link goes to authservices /logout.... Please help... – Saurabh Jun 25 '18 at 18:17

1 Answers1

16

It is not mandatory for your IDPs to have a SingleLogout endpoint. You can perform local logout which cleans local cookies by calling /saml/logout?local=true. You can find all the details in the manual.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • 1
    @vschafer Ya that point is clear. But in my scenario, I dont have discovery page and I directly display the SSO login page to the user. Once the user provides his credentials, IDP will validate with a success response and application allow the user into the system. I am using local logout as I dont have logout endpoint for the IDP. Once user clicks on the logout button, I am redirecting user back to home page. But homepage has a call to login page. Because of this reason, the user is again being authenticated with IDP and is always logged in. Is there any workaround solution for this problem? – SM KUMAR Oct 15 '14 at 10:15
  • 3
    Create a logout page which is unsecured () and send user there (in successLogoutHandler) after logout instead of the login page. Or change the homepage so it doesn't automatically invoke IDP authentication, but makes user press some "login" button first. – Vladimír Schäfer Oct 15 '14 at 10:19
  • 1
    @VladimírSchäfer How can we achieve this effect in spring boot that does not have xml based configuration? – rogue lad Aug 30 '17 at 12:22
  • 1
    @VladimírSchäfer In my application, I'm using multiple metadata and some have single logout point in define and some have not. This process works fine for metadata configurations that have the single logout endpoint defined. However, the process will fail and end in an error if the IdP does not have a single logout endpoint defined in their metadata. How I handle this case? – Sanjay Saini Feb 06 '19 at 18:28
  • @VladimírSchäfer Hi Thanks for your awesome help with the library of spring along with saml. We have something similar as well. We have a single metadata that is shared to two idps. I would like to have different postLogoutUrls depending on where the logout happens (global ones). One idp is for customers the other one is for admin users. When I try to to do `/saml/logout?target=onelogin` or `/saml/logout?target=adfs` what I get in my custom version of `SimpleUrlLogoutSuccessHandler` in `onLogoutSuccess` is `/saml/SingleLogout` without any of the initial params passed. Thanks for any help – Michail Michailidis Jun 19 '19 at 20:40
  • Can some provide saml logout flow if possible one example? i am stuck at redirection, while logout it is redirecting to other idp? – ramesh bommakanti Jul 14 '20 at 13:23