Cannot logout of IDP

spencer_42 · December 14, 2017, 12:04pm

I’m using Auth0 as my SP and I’m trying to implement logout from the IDP (ADFS) but it’s not working. I’ve set the logout URL in the SAML connection to the IDP’s signout URL but when I call https://MY_DOMAIN.auth0.com/logout?federated or https://MY_DOMAIN.auth0.com/logout?federated&returnTo=http://RETURN_URL&client_id=CLIENT_ID I’m not logged out of the IDP.

I know it’s not the IDP URL because when I enter it directly I’m logged out so I think Auth0 isn’t using the signout url i’ve set. Any ideas?

jmangelo · December 14, 2017, 8:46pm

I did some tests with a SAML connection pointing to a OneLogin IdP and it worked as expected. Have in mind that the logout endpoint is /v2/logout and not just /logout, but that may just be an issue in the question.

You should the network trace in the browser to have a more detailed view of the actual requests being triggered; you should see one to the logout endpoint and then to the IdP logout endpoint; if not, update your question with exact configuration of the SAML connection.

spencer_42 · December 15, 2017, 1:29pm

Yea /logout was an error on my part (but looking at the logs it appears that it logs me out too). Anyway. there’s definitely only one request which is the logout request and it redirects me back to my desired page. No other calls or redirects to the idp.
![alt text][1]

Here’s screenshots of my connection
![alt text][2]
![alt text][3]

jmangelo · December 15, 2017, 9:43pm

I did a quick setup of an ADFS server and although I did get an error on logout (due to my hastiness in trying to setup) I did observe a redirect from /v2/logout to the ADFS signout endpoint. In my case I used https://adfs.example.com/adfs/ls and did not include the wa or any query parameter because the request will be a SAML logout and wa is WS-Federation if I recall correctly. However, that parameter is not issue because you don’t even get a redirect.

jmangelo · December 15, 2017, 9:45pm

Can you capture an HTTP trace (ideally using something other than Chrome which has the nasty habit of omitting response bodies; for example Fiddler) of an authentication transaction followed immediately by a logout request? You can share it only to @auth0.com emails by password protecting it and sharing the password through the sharelock.io service.

spencer_42 · December 20, 2017, 1:47pm

I’m not getting a response body, I’m only getting two calls to https://sharelock.io/1/mrFe9g_aPvum84-FWJbEaR_sJZNPUJp0AkiqKA1KOdQ.9cMxNV/VmBpVLL6OJHrpbgTRdmcLN_wdw0685h-JMGZNgdP-eeVObh4y-/ihItnBLP7vDmPxw4j55-84cvBnQvkKKpy9UQyIetgaMVf7eZR_/X1F_T5OdBcGn0mEbyhI3k9mlEuQd_Rr6E1Di45jJK5YLraX2aE/0i4c.BdrJoOhG4kSzdjyDKH774w
and https://MY_DOMAIN.auth0.com/user/ssodata/ when I’m redirected back to my home page

spencer_42 · January 23, 2018, 12:54pm

Looks like we needed to tweak the configuration in ADFS. For anyone facing this in the future, I performed the following steps;

Set the NameID in ADFS (in order to perform federated logout , the NameID is required.
The signOutEndpoint in the Auth0 SAMP connection should contain https://{youdomain}.adfs.server/adfs/ls/?wa=wsignout1.0