Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logout error message and issue with workaround #186

Open
tw77 opened this issue Jan 10, 2024 · 0 comments
Open

Logout error message and issue with workaround #186

tw77 opened this issue Jan 10, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@tw77
Copy link

tw77 commented Jan 10, 2024
edited
Loading

Summary

Two single institution clients, RMIT and Seneca, encountered an invalid_logout_response error message every time when testing logout during SSO configuration (RMIT in November 2023, Seneca in January 2024).

image

Logging out and all other aspects of SSO functionally worked for both clients, but this confusing error message appeared every time someone logged out after having logged in with SSO.

Both clients were able to use the same workaround to remove this error message, which was to change the SP Logout URL in their IdP from the SingleLogoutService value in our SP metadata to a generic https://rmit.pressbooks.pub/wp/wp-login.php?action=logout or https://pressbooks.senecapolytechnic.ca/wp/wp-login.php?action=logout. However, this workaround has the side effect of an additional, unwanted prompt upon logout:

image

More detailed notes from RMIT

See RMIT's explanation of the cause of the error message, the workaround, and the side effect of the workaround here (https://pressbooks.zendesk.com/agent/tickets/18449):

Once the user hits “Log Out” from the Pressbooks application:

The logout URL sending the SAML Logout Request from the app was https://rmit.pressbooks.pub/wp/wp-login.php?action=logout&redirect_to=https%3A%2F%2Frmit.pressbooks.pub%2F&_wpnonce=2059b118fa.

But the SingleLogoutService value in the SP metadata file is https://rmit.pressbooks.pub/wp/wp-login.php?action=pb_shibboleth_sls

Since these two values mismatched, we see an error message "invalid_logout_response"

To fix this, the IDP changed the Single Logout URL returned in the SAML Response to https://rmit.pressbooks.pub/wp/wp-login.php?action=logout so that it matched the URL sending the Logout request.

This worked (Error message didn’t appear again) but added the additional step to the logout process. See below:

  1. User hits “log Out” from the app.

  2. User gets redirected to the following prompt (additional step):

image

  1. Upon hitting ‘log out’ from the additional prompt, user gets sent to the login page:

This page now shows the correct message “You are now logged out”.

image
@SteelWagstaff SteelWagstaff added the bug Something isn't working label Jan 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SteelWagstaff @tw77