3

Reciveing 400 bad request when trying to log out user from idp session. The user is logged out from the application/passport session, but not from the idp session.

Logout and callback endpoints are set up like seen below. The logout endpoint attach the required attributes to logout the user and to create the SAMLRequest.

app.get('/api/logout', (req, res) => {
  const currentUser = getCurrentUser(req);
  const user = {
    nameID: currentUser.nameID,
    nameIDFormat: currentUser.nameIDFormat,
    sessionIndex: currentUser.sessionIndex,
  };
  req.user = user;

  return strategy.logout(req, function(err, uri) {
        res.redirect(uri);
  });
});

app.post('/api/logout/callback', (req, res) => {
  req.logout();
  // res.redirect(uri);
});

config is set up like this: 

const strategy = new SamlStrategy(
  {
    callbackUrl: process.env.CALLBACK_URL,
    entryPoint: process.env.ENTRY_POINT,
    issuer: process.env.ISSUER,
    logoutUrl: process.env.LOGOUT_URL,
    logoutCallbackUrl: process.env.LOGOUT_CALLBACK_URL,
  },
  strategyCallback,
);

Any help to problem solve the issue is much appreciated.

Asle Berge
  • 147
  • 1
  • 8

1 Answers1

1

Yes idp session is not clear because you have not logged out using SAML protocol. Session at Idp is not cleared using req.logout. Only your application session can be cleared with this.

What you can do is

      samlStrategy.logout(req, function(err, request){
          if(!err){
           //redirect to the IdP Logout URL
           res.redirect(request);
         }
      });

This would redirect to idp logout page and you are supposed to give idp a logout callback url. After successful logout Idp would redirect to callback url.

Kartikeya Mishra
  • 118
  • 2
  • 10