Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC Logout does not trigger SAML Single Logout (SLO) #254

Open
tft7000 opened this issue Oct 1, 2024 · 1 comment
Open

OIDC Logout does not trigger SAML Single Logout (SLO) #254

tft7000 opened this issue Oct 1, 2024 · 1 comment

Comments

@tft7000
Copy link

tft7000 commented Oct 1, 2024

Summary

I am using SimpleSAMLphp as an IdP with the OIDC module (acting as an OP). Several clients (SPs/RPs) are connected to this IdP, some via SAML and others via OIDC. Additionally, in some cases, the IdP also acts as an SP and authenticates users through another remote IdP.

Problem

When logging out via OIDC, the IdP completes the local logout process and redirects to the specified return URL without logging out the associated SPs/RPs or any remote IdP that may have been involved.

Here is the OIDC logout URL I call:
https://myidp.tld/ssp/module.php/oidc/logout.php?id_token_hint=XXX&post_logout_redirect_uri=XXX

However, when logging out using SAML Single Logout (SLO), the logout process ensures that all SPs are logged out, including any possible remote IdP, before redirecting to the calling party.

Here is the SAML SLO URL I call:
https://myidp.tld/ssp/saml2/idp/SingleLogoutService.php?ReturnTo=XXX

Expected Behavior

Shouldn't the OIDC logout process also trigger the SAML SLO, ensuring that the session is terminated for all clients, both OIDC and SAML?

Version Info

  • SimpleSAMLphp: v2.3.2
  • OIDC Module: v5.1.0

Additional Information

Please let me know if this behavior is intended or if additional configuration is needed to enable SLO for OIDC clients. Any guidance on ensuring a consistent logout experience across both protocols would be greatly appreciated.

@cicnavi
Copy link
Collaborator

cicnavi commented Oct 1, 2024

@tft7000 Really great that you've noticed this... It is a know issue and it has to do with how SSP handles logout: simplesamlphp/simplesamlphp#1522

@tvdijen @monkeyiq If you have any feedback on this...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants