The Single Logout URL ( $SP/GLO=true ) will usually work for the first logout in a clean browser, and then fails if the user logs back in and tries GLO again.
When it works, this is the flow:
Get $SP/GLO=true > 200 Post SAML LogoutRequest to IdP > 200 [ SAML LogoutResponse shows up in IdP server.log ] Post SAML LogoutResponse to SP > 200 Get $SP/null > 200 Browser is left at the IdP login screen with a new AuthnRequest
When it does not work, this is the flow:
Get $SP/GLO=true > 200 Post SAML LogoutRequest to IdP > 200 [ SAML LogoutResponse DOES NOT show up in IdP server.log ] Browser is left at the IdP login screen with a SAML LogoutRequest OR Browser is left at the $SP/null screen and never redirects to IdP login screen
If the login credentials are entered, then the browser Posts a SAML LogoutResponse to the SP OR the browser is left at $ { SP } /null and protected resources are still accessible.
Once the logout flow stops working properly, it seems like there are basically no ways to get it working again in the same browser. The browser sits at the IdP login screen with the SAML LogoutResponse ready to POST, but it won’t post until login credentials are provided. Once the credentials are provided though, the session is logged back in.
|