Auth0 Home Blog Docs

SAML2 plugin logout?

logout
saml2

#1

We have configured a client for one of our tenants with an active SAML2 plugin. The application uses the auth0 as IdP via SAML2. But when i log out of their application i’m redirected to an error page since the Settings might be wrong… ?
The settings i currently have:
{ "logout": { "callback": "https://some-public-page.com/", "slo_enabled": "false" } }

Should the callback be something else? I haven’t found anything else in the documentation on it…
And if I remove the entire config (as per defaults) then I also see errors when trying to logout…
(more information can be provided, i just don’t know what to provide)
What to do?


Update:

The application is an Higher Logic (formerly known as Socius -
http://socious.com/) cloud application. They connect to Auth0 via SAML2 (thus I created a Client for them, added the SAML2 plugin and gave them the various endpoints and certificates etc)

The issue we have is that if I leave the Settings JSON empty, the user when loggin out of the Socius appliction will see a white screen with only ‘missing client.addons.samlp.logout.callback’ the contents. (the url for that page is https://[our tentant url].auth0.com/samlp/[some key] )

If I on the other hand try to fix the missing callback value (i.e. pointing it to ‘https://www.disney.com’ or some other public url) (thus my settings look like:
{ "logout": { "callback": "https://disney.com/" } }
The user gets a different error page (but styled this time) “Oops!, something went wrong” with a technical explination: “No active session(s) found matching LogoutRequest” ?

So if something, what am i supposed to fill in?


#2

I confess I did not extensively used the SAML logout functionality, but based on the information provided it will be hard to hint at the problem. If the client application in question is cloud service or some well-known software and you are okay with disclosing the use of that software it may be useful because SAML service providers may require different settings and in this way it could be possible to check their documentation as the error likely implies that a configuration requirement was not met or there’s some incorrect configuration at the service provider itself.


#3

@jmangelo Thanks for the reply. (question updated with more details)


#4

@jmangelo Thanks for the reply. (question updated with more details)


#5

The error can be triggered by multiple situation so in order to provide a definitive answer you’ll need to provide the SAML request that the service provider application is performing. Using browser network tools you should be able to obtain this; basically there will be an HTTP request to https://YOUR_AUTH0_DOMAIN/samlp/CLIENT_ID/logout and that request will contain a SAMLRequest parameter you’ll need to share. If you are worried that it may contain sensitive information you can share it through sharelock.io only to @auth0.com domains.


#6

@jmangelo any thoughts based on my updated ‘comment’?


#7

I got email notifications setup for follow-up comments, but I have to honest that sometimes the volume overloads my inbox and there are some delays in processing. In this case I totally missed the first reply, but I’ll review it today. Also, when an update does not fit into a comment feel free to update the original question as posting as an answer also has the side-effect of removing question from unanswered view.


#8

I could reproduce the initial problem of missing client.addons.samlp.logout.callback, however, when I provided an URL for that setting I was not able to reproduce the other error you mentioned. I used https://YOUR_AUTH0_DOMAIN/logout as the logout callback URL because I don’t have a service provider application that supports the logout response. Can you also test with that URL, which should just respond with an OK to see if we can nail down where the problem happens?


#9

I have spoken too soon…I now have reproduced the second error so we’ll get back to you with more information after reviewing the situation.


#10

@robin.speekenbrink the error can be triggered by multiple situation so in order to provide a definitive answer you’ll need to provide the SAML request that the service provider application is performing. Using browser network tools you should be able to obtain this; basically there will be an HTTP request to https://YOUR_AUTH0_DOMAIN/samlp/CLIENT_ID/logout and that request will contain a SAMLRequest parameter you’ll need to share. If you are worried that it may contain sensitive information you can share it through sharelock.io only to @auth0.com domains.


#11