-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SafariWebAuth.clearSession unexpectedly redirects to federated logout for non-SAML users #176
Comments
Hey @srgray can you walk me through the steps to reproduce and also what iOS you were testing on. Thx |
I have tested this on iOS 10.2 and 11.1 simulators. The behavior is the same for both iOS 10/11. Here are my Auth0 configuration details: My iOS application, upon user action of Logout, invokes the SafariWebAuth.clearSession function with 'federated' parameter = true for all users (regardless of user type). For the SAML users, they are properly redirected to the configured SAML 'Sign Out URL' and successfully signed out of the SAML IDP (further notes on: #175 ). But, upon Logout, my non-SAML users (Database Connection) are also redirected to the configured SAML 'Sign Out URL'. My assumption is that Auth0 would be able to recognize the type of user and appropriately redirect only the SAML users to the SAML 'Sign Out URL'. |
If the Authentication was performed using a Database Connection, you don't really I am wondering if you call it with federated it remembers the last federated connection perhaps e.g. SAML
|
An alternative approach is to force a login, if you add .parameters(["prompt" : "login"]) |
Yes, I am using WebAuth (through the Lock.swift library). Can you explain more about |
Sorry, yes add that to your login So when you have logged in for example with the Database connection, instead of calling |
OK, I'll give this a try. What is the recommended way for my iOS app to 'know' that a Database Connection was used to login (so that I can set a flag for the next call to WebAuth)? |
Take a look at https://auth0.com/docs/user-profile/normalized/auth0#uniquely-identify-users When you retrieve the UserProfile check the sub property |
I ended up circumventing this behavior by implementing a variant of the suggestion: I only call SafariWebAuth.clearSession when my SAML users do a logout action. This allows me to do a federated logout for them and not for my Database Connection users. I identify my SAML users by looking for 'samlp' in the UserProfile sub property, as you suggested. I chose this way because I don't have easy access to the WebAuth object to add parameters because I'm using the Lock.swift library which wraps the WebAuth object. Thanks for your help in working through this. |
Great, as an FYI you can specify parameters in the Lock options that will be passed through to .withOptions {
$0.parameters = ["prompt" : "login"]
} |
I'm not sure if this is an issue with the Auth0 library or a misuse/misconfiguration on my part.
When specifying the federated parameter, the Auth0 logout url redirects to the Enterprise Connection (SAML) logout URL for all of my users, not just the SAML users (as I expect). I expect only my SAML users to be redirected to the SAML logout URL.
The text was updated successfully, but these errors were encountered: