SafariWebAuth.clearSession unexpectedly redirects to federated logout for non-SAML users

[srgray]

I'm not sure if this is an issue with the Auth0 library or a misuse/misconfiguration on my part.

When specifying the federated parameter, the Auth0 logout url redirects to the Enterprise Connection (SAML) logout URL for all of my users, not just the SAML users (as I expect). I expect only my SAML users to be redirected to the SAML logout URL.

[cocojoe]

Hey @srgray can you walk me through the steps to reproduce and also what iOS you were testing on. Thx

[srgray]

@cocojoe

I have tested this on iOS 10.2 and 11.1 simulators. The behavior is the same for both iOS 10/11.

Here are my Auth0 configuration details:
I have 2 types of users in my Auth0 configuration: those associated to a Database Connection and those associated to an Enterprise Connection (SAML IDP). For my SAML Connection configuration, I have specified a 'Sign Out URL'.

My iOS application, upon user action of Logout, invokes the SafariWebAuth.clearSession function with 'federated' parameter = true for all users (regardless of user type). For the SAML users, they are properly redirected to the configured SAML 'Sign Out URL' and successfully signed out of the SAML IDP (further notes on: #175 ).

But, upon Logout, my non-SAML users (Database Connection) are also redirected to the configured SAML 'Sign Out URL'.

My assumption is that Auth0 would be able to recognize the type of user and appropriately redirect only the SAML users to the SAML 'Sign Out URL'.

[cocojoe]

If the Authentication was performed using a Database Connection, you don't really logout, all you are looking to do is clear the last login session that would be the DB connection (Presuming you are using WebAuth for everything?) so you would call clearSession without federated.

I am wondering if you call it with federated it remembers the last federated connection perhaps e.g. SAML

clearSession may not be the best option for every possible use case, you should also have a look at the SAML Logout Docs https://auth0.com/docs/logout#saml-logout.

[cocojoe]

An alternative approach is to force a login, if you add .parameters(["prompt" : "login"])

[srgray]

Yes, I am using WebAuth (through the Lock.swift library).

Can you explain more about .parameters(["prompt" : "login"]) ? Is that something to add to the WebAuth object?

[cocojoe]

Sorry, yes add that to your WebAuth object.

login
The Authorization Server SHOULD prompt the End-User for reauthentication.

So when you have logged in for example with the Database connection, instead of calling clearSession, you could set a flag somewhere so next time you call WebAuth you add the prompt key with value login to force a reauthentication.

[srgray]

OK, I'll give this a try.

What is the recommended way for my iOS app to 'know' that a Database Connection was used to login (so that I can set a flag for the next call to WebAuth)?

[cocojoe]

Take a look at https://auth0.com/docs/user-profile/normalized/auth0#uniquely-identify-users
for the general idea.

When you retrieve the UserProfile check the sub property

[srgray]

I ended up circumventing this behavior by implementing a variant of the suggestion: I only call SafariWebAuth.clearSession when my SAML users do a logout action. This allows me to do a federated logout for them and not for my Database Connection users. I identify my SAML users by looking for 'samlp' in the UserProfile sub property, as you suggested.

I chose this way because I don't have easy access to the WebAuth object to add parameters because I'm using the Lock.swift library which wraps the WebAuth object.

Thanks for your help in working through this.

[cocojoe]

Great, as an FYI you can specify parameters in the Lock options that will be passed through to webAuth.

.withOptions {
    $0.parameters = ["prompt" : "login"]
}