OIDC Logout does not trigger SAML Single Logout (SLO) #254
Comments
|
@tft7000 Really great that you've noticed this... It is a know issue and it has to do with how SSP handles logout: simplesamlphp/simplesamlphp#1522 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
I am using SimpleSAMLphp as an IdP with the OIDC module (acting as an OP). Several clients (SPs/RPs) are connected to this IdP, some via SAML and others via OIDC. Additionally, in some cases, the IdP also acts as an SP and authenticates users through another remote IdP.
Problem
When logging out via OIDC, the IdP completes the local logout process and redirects to the specified return URL without logging out the associated SPs/RPs or any remote IdP that may have been involved.
Here is the OIDC logout URL I call:
https://myidp.tld/ssp/module.php/oidc/logout.php?id_token_hint=XXX&post_logout_redirect_uri=XXX
However, when logging out using SAML Single Logout (SLO), the logout process ensures that all SPs are logged out, including any possible remote IdP, before redirecting to the calling party.
Here is the SAML SLO URL I call:
https://myidp.tld/ssp/saml2/idp/SingleLogoutService.php?ReturnTo=XXX
Expected Behavior
Shouldn't the OIDC logout process also trigger the SAML SLO, ensuring that the session is terminated for all clients, both OIDC and SAML?
Version Info
Additional Information
Please let me know if this behavior is intended or if additional configuration is needed to enable SLO for OIDC clients. Any guidance on ensuring a consistent logout experience across both protocols would be greatly appreciated.
The text was updated successfully, but these errors were encountered: