Cognito logout does not work as documented

Question

I have a Cognito user pool configured with a SAML identity provider (ADFS) and I'm able to sign it as a federated user (AD) but sign out does not work.

Following the documentation, I make a GET request to https://my-domain.auth.us-west-2.amazoncognito.com/logout?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com (using some public logout uri), from my client (an AngularJS 1.x app), and I get back a 302 with a Location header like

https://my-domain.auth.us-west-2.amazoncognito.com/login?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com  

(In fact there I see 2 requests like the above).

When I log back in (thru ADFS) it does not prompt for my AD credentials, i.e. seems that I'm not logged out.

My user pool is configured as described here (see step 7), where the Enable IdP sign out flow is checked, which is supposed to log the user out from ADFS as well.

Any suggestions? Thanks.

General
-------
Request URL: https://my-domain.auth.us-west-2.amazoncognito.com/logout?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com  
Request Method: GET  
Status Code: 302  
Remote Address: 54.69.30.36:443  
Referrer Policy: no-referrer-when-downgrade  

Response Headers
----------------
cache-control: private  
content-length: 0  
date: Fri, 20 Apr 2018 21:31:12 GMT  
expires: Thu, 01 Jan 1970 00:00:00 UTC  
location: https://my-domain.auth.us-west-2.amazoncognito.com/login?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com  
server: Server  
set-cookie: XSRF-TOKEN=...; Path=/; Secure; HttpOnly  
set-cookie: XSRF-TOKEN=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly  
status: 302  
strict-transport-security: max-age=31536000 ; includeSubDomains  
x-content-type-options: nosniff  
x-frame-options: DENY  
x-xss-protection: 1; mode=block  

Request Headers
---------------
:authority: my-domain.auth.us-west-2.amazoncognito.com  
:method: GET  
:path: /logout?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com  
:scheme: https
accept: application/json, text/plain, */*  
accept-encoding: gzip, deflate, br  
accept-language: en-US,en;q=0.9  
authorization: Bearer eyJra...  
cache-control: no-cache  
origin: https://localhost:8443  
pragma: no-cache  
referer: https://localhost:8443/logout  
user-agent: Mozilla/5.0...  

Answer 1

This redirect happens whenever logout_uri parameter doesn't match exactly what's listed among Sign out URL(s) in AWS Cognito User Pools App client settings configuration.

Cognito allows logout with either logout_uri or with the same arguments as login (i.e. redirect_uri and response_type) to log out and take the user back to the login screen. It seems that whenever logout_uri is invalid, it assume the re-login flow, does this redirect, and then reports an error about missing login arguments.

As for SAML, I don't know, but guessing that it doesn't work because there was actually an error, just not properly reported.

Answer 2

The /logout endpoint signs the user out.It only supports HTTPS GET. It is working

Sample Requests - Logout and Redirect Back to Client

It clears out the existing session and redirects back to the client. Both parameters are required.

GET https://<YOUR DOMAIN NAME>/logout?
client_id=xxxxxxxxxxxx&
logout_uri=com.myclientapp://myclient/logout

Also make sure that Logout URL is same as SIGNOUT URL in AWS Cognito APP too.

for more information, refer AWS LOGOUT Endpoint

Answer 3

Finally I was able to fix this issue. I found the actual cause of the issue from the event viewer of my windows server 2012 R2. It says the following details about the failed sign out flow.

The SAML Single Logout request does not correspond to the logged-in session participant. Requestor: urn:amazon:cognito:sp:userpoolid Request name identifier: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, NameQualifier: SPNameQualifier: , SPProvidedId: Logged-in session participants: Count: 1, [Issuer: urn:amazon:cognito:sp:userpoolid, NameID: (Format: , NameQualifier: SPNameQualifier: , SPProvidedId: )]

User Action Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS 2.0 Management snap-in.

The Error clearly says that the name identifier in the request is different from the name identifier in the session only by NameQualifier. I have corrected this error in the claim issuance tab of relying party trusts by adding the rule as below. The below rule replace the user@myadfsdomain to simply user when issuing the claim.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = RegExReplace(c.Value, "(?i)^myadfsdomain*\\", ""), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

Besides this i have forgot to check in the enable signout flow in the cognito configuration which caused the problem. Logout started working seamlessly for me.