DEVHIDE
Login Or Sign up

Why IdP Single Logout URL (SAML2 / Cognito workflow) from Salesforce connected app does not fully end IdP session?

114 Views Asked by At

Components:

Chrome Version 119.0.6045.159 (Official Build)
Salesforce 58.x
AWS Cognito User Pools
AWS Amplify [ui-components] 1.9.40

Our app is installed in a Salesforce org as a connected app. When a user logs into the Salesforce org, Salesforce acts as an Identity Provider for our connected app, and the connected app is able to log into our service. To sum up, Salesforce here is the Identity Provider, and we are the Service Provider; as well, our app relies on AWS Cognito for identity management.

We rely on SAML2 workflows to facilitate Single Sign On and Single Logout from the connected app. Our Single Logout URL looks something like this:

https://xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com/saml2/logout

which has a POST binding.

When we logout of Salesforce, the Single Logout URL (above) is properly invoked with an HTTP POST request and the SAML2 Logout Request. Oddly, the HTTP response is an HTTP Redirection (302) with location URL:

https://xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com/error?null

We can confirm with curl that the Cognito endpoint exists:

$ curl -iv -X GET https://xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com/saml2/logout
...
* Connected to xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com (35.83.156.62) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.auth.us-west-2.amazoncognito.com
*  start date: Jan 28 00:00:00 2023 GMT
*  expire date: Feb 26 23:59:59 2024 GMT
*  subjectAltName: host "xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com" matched cert's "*.auth.us-west-2.amazoncognito.com"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com]
* h2 [:path: /saml2/logout]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x125810c00)
> GET /saml2/logout HTTP/2
> Host: xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/2 400 
HTTP/2 400 
< date: Sun, 03 Dec 2023 18:41:35 GMT
date: Sun, 03 Dec 2023 18:41:35 GMT
< content-type: text/html;charset=UTF-8
content-type: text/html;charset=UTF-8
< content-security-policy-report-only: script-src https://dpp0gtxikpq3y.cloudfront.net https://xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com; style-src https://dpp0gtxikpq3y.cloudfront.net https://xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com; img-src https://dpp0gtxikpq3y.cloudfront.net https://xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com; report-uri https://xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com/cspreport
content-security-policy-report-only: script-src https://dpp0gtxikpq3y.cloudfront.net https://xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com; style-src https://dpp0gtxikpq3y.cloudfront.net https://xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com; img-src https://dpp0gtxikpq3y.cloudfront.net https://xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com; report-uri https://xxxxxxx-yyyyyyyyy-dev.auth.us-west-2.amazoncognito.com/cspreport
< set-cookie: XSRF-TOKEN=3665ddc9-d7ca-4f1d-9ca3-ecc7015f92fd; Path=/; Secure; HttpOnly; SameSite=Lax
set-cookie: XSRF-TOKEN=3665ddc9-d7ca-4f1d-9ca3-ecc7015f92fd; Path=/; Secure; HttpOnly; SameSite=Lax
< x-amz-cognito-request-id: 0009fc90-6529-4ea3-bda5-6bf77b96084a
x-amz-cognito-request-id: 0009fc90-6529-4ea3-bda5-6bf77b96084a
< allow: POST
allow: POST
...

Here you can see in the allow response that an HTTP POST method is required for the Single Logout URL we have employed.

QUESTIONS:

  1. We have followed AWS docs and Salesforce docs precisely. What does the /error mean? No further details are supplied in the HTTP response.
  2. What precisely is the expected behavior of /saml2/logout (assuming this endpoint actually works)? Does it clear refresh, access, and ID tokens? IE, is this a global signout? Or is it merely a user-session timeout? IE, it clears Cognito token from the window.localStorage and then possibly clears the refresh token, but leaves the IdP session intact until access and ID tokens expire?

The AWS Cognito docs seem to be scarce about the precise characterization of /saml2/logout.

amazon-web-services amazon-cognito saml-2.0 salesforce-lightning salesforce-conntected-apps
Original Q&A
0

There are 0 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-COGNITO

Related Questions in SAML-2.0

Related Questions in SALESFORCE-LIGHTNING

Related Questions in SALESFORCE-CONNTECTED-APPS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.