Azure AD SAML and SLO logout error

[FilmonK]

Describe the bug

Using AD SAML for SSO and Metabase 1.49.5.

You're presented with an error after signing off indicating the session index couldn't be located.
It doesn't prevent you from logging back in.

A quick video of a session logging on and off.
https://www.loom.com/share/485466cf8fb7486ca5f955a774d363c8

To Reproduce

1. Log into Metabase using AD based SAML
2. Log out

I’m not sure if it’s a case of not calling the Logout URL configured for the app in Azure, possibly redirecting to different url configurations in Azure, completely logging out the session during the call to 'auth/sso/logout' so there’s no SessionIndex to reference by Azure, or something else.

From the decoded SAML traces
Part of the Login XML:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="_474a4cac-8a29-4c29-a70f-ce65ccdb3563"
                Version="2.0"
                IssueInstant="2024-04-18T16:41:17.004Z"
                Destination="https://fil-testjumper.hosted.staging.metabase.com/auth/sso"
                InResponseTo="id-7956d9dc-65ba-4c73-b96f-d328e2aa9d1c"
                >

<AuthnStatement AuthnInstant="2024-04-18T14:27:07.975Z"
                        SessionIndex="_ab39c4e2-eced-436a-8064-bd1683566f00"
                        >
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>

Logout XML:

<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     Destination="https://login.microsoftonline.com/74f046ab-2329-4440-a249-ed151b3148b8/saml2"
                     ID="id10cff6ed-964c-46e4-9e34-f90efe028d72"
                     IssueInstant="2024-04-18T16:38:14Z"
                     Version="2.0"
                     >
    <saml:Issuer>metabase</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">filmonk@gmail.com</saml:NameID>
    <samlp:SessionIndex>SessionIndex_From_Authentication_Assertion</samlp:SessionIndex>
</samlp:LogoutRequest>

Expected behavior

Log out from a session and not encounter the error.

Logs

No response

Information about your Metabase installation

{
  "browser-info": {
    "language": "en-US",
    "platform": "MacIntel",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36",
    "vendor": "Google Inc."
  },
  "system-info": {
    "file.encoding": "UTF-8",
    "java.runtime.name": "OpenJDK Runtime Environment",
    "java.runtime.version": "11.0.22+7",
    "java.vendor": "Eclipse Adoptium",
    "java.vendor.url": "https://adoptium.net/",
    "java.version": "11.0.22",
    "java.vm.name": "OpenJDK 64-Bit Server VM",
    "java.vm.version": "11.0.22+7",
    "os.name": "Linux",
    "os.version": "5.10.213-201.855.amzn2.x86_64",
    "user.language": "en",
    "user.timezone": "GMT"
  },
  "metabase-info": {
    "databases": [
      "postgres",
      "mongo",
      "snowflake",
      "h2"
    ],
    "hosting-env": "unknown",
    "application-database": "postgres",
    "application-database-details": {
      "database": {
        "name": "PostgreSQL",
        "version": "14.10"
      },
      "jdbc-driver": {
        "name": "PostgreSQL JDBC Driver",
        "version": "42.7.2"
      }
    },
    "run-mode": "prod",
    "version": {
      "date": "2024-04-11",
      "tag": "v1.49.5",
      "hash": "31c4887"
    },
    "settings": {
      "report-timezone": null
    }
  }
}

Severity

P2

Additional context

No response

[PIrojahPerbak]

+1 for a solution for this

[Tony-metabase]

@escherize the above seems to be fixed ... but there is still an issue when you logout. It seems that Azure is expecting a NameId but we are not passing it during the logout ... If you check the Attributes and Claims there is a NameId

[darksciencebase]

#43022