Single Log Out (SLO) Not Redirecting

[cwseric]

Hello,

I am needing to use SLO in my app and am having an issue after the IdP validates my logout request. The app appears to close out all the connections but will get stuck at a page with Redirecting to ... after it returns from the IdP.

Any help on where the Redirecting to ... is coming from and/or possibly where I can set a different redirect to url would be wonderful.

Below are my files and logs.

production log file

Started DELETE "/users/sign_out" for 10.0.0.1 at 2018-11-12 21:00:34 +0000
Processing by SessionsController#destroy as HTML
  Parameters: {"authenticity_token"=>"gS8w/o2xmErAB8gMwQnPZXEz65vHf/zfbQjxJDeREj998SDhDFm2X1egldlFBXmT5daSxL5okbSkUwDm4iSpyQ=="}
  User Load (0.4ms)  SELECT  `users`.* FROM `users` WHERE `users`.`id` = 5 ORDER BY `users`.`id` ASC LIMIT 1
   (0.1ms)  BEGIN
   (0.1ms)  COMMIT
  Site Load (0.3ms)  SELECT  `sites`.* FROM `sites` WHERE `sites`.`id` = 1 LIMIT 1
Redirected to https://mysite.com/users/auth/saml/spslo
Completed 302 Found in 5ms (ActiveRecord: 1.0ms)
Started GET "/users/auth/saml/spslo" for 10.0.0.1 at 2018-11-12 21:00:34 +0000
Created SLO Logout Request: <samlp:LogoutRequest Destination='https://mysite.samlidp.io/saml2/idp/SingleLogoutService.php' ID='_5fe1caf1-890b-4b7b-9dc3-ef50fc10a961' IssueInstant='2018-11-12T21:00:34Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer>https://mysite.com</saml:Issuer><saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>_a747cb547d2bb3c92c8ee99d37aef5b489c1b0685e</saml:NameID></samlp:LogoutRequest>
Started POST "/users/auth/saml/slo" for 10.0.0.1 at 2018-11-12 21:02:44 +0000

devise.rb file

config.omniauth :saml,
      assertion_customer_service_url: "https://mysite.com/users/auth/saml/callback",
      single_logout_service_url: "https://mysite.com/users/auth/saml/slo",
      idp_cert: provider.cert,
      idp_sso_target_url: provider.target_url,
      idp_slo_target_url: provider.sso_logout_url,
      issuer: "https://saml.cws.net",
      private_key: File.read("/var/www/mysite.com/ssl/selfsigned.key"),
      certificate: File.read("/var/www/mysite.com/ssl/selfsigned.pem"),
      allowed_clock_drift: 5,
      name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

routes.rb

Rails.application.routes.draw do
  #devise_for :users
  devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks', sessions: 'sessions' }
  
  root 'home#index'
end

sessions_controller.rb

class SessionsController < Devise::SessionsController

  def destroy
    #preserve the saml_uid in the session
    saml_uid = session["saml_uid"]

    super do
      session["saml_uid"] = saml_uid
    end
  end

  def after_sign_out_path_for(_)
    @site = Site.find_by_id(1)
    if session['saml_uid'] && @site.sso_logout_url
      user_saml_omniauth_authorize_path + "/spslo"
    else
      super
    end
  end

end

Thanks
Eric

[cwseric]

I figured out the issue. If you're doing SLO you need to use the following in your devise.rb file.

slo_default_relay_state: "something"

"Something" will route to a path similar to /auth/saml/something

[topherfangio]

For anyone else who visits this page, here is how I got this working in my Rails 7 application:

    :slo_default_relay_state => Proc.new { Rails.application.routes.url_helpers.login_url },