Menu
Reciveing 400 bad request when trying to log out user from idp session. The user is logged out from the application/passport session, but not from the idp session.
Logout and callback endpoints are set up like seen below. The logout endpoint attach the required attributes to logout the user and to create the SAMLRequest.
app.get('/api/logout', (req, res) => {
const currentUser = getCurrentUser(req);
const user = {
nameID: currentUser.nameID,
nameIDFormat: currentUser.nameIDFormat,
sessionIndex: currentUser.sessionIndex,
};
req.user = user;
return strategy.logout(req, function(err, uri) {
res.redirect(uri);
});
});
app.post('/api/logout/callback', (req, res) => {
req.logout();
// res.redirect(uri);
});
config is set up like this:
const strategy = new SamlStrategy(
{
callbackUrl: process.env.CALLBACK_URL,
entryPoint: process.env.ENTRY_POINT,
issuer: process.env.ISSUER,
logoutUrl: process.env.LOGOUT_URL,
logoutCallbackUrl: process.env.LOGOUT_CALLBACK_URL,
},
strategyCallback,
);
Any help to problem solve the issue is much appreciated.
1000
Yes idp session is not clear because you have not logged out using SAML protocol. Session at Idp is not cleared using req.logout. Only your application session can be cleared with this.
What you can do is
samlStrategy.logout(req, function(err, request){
if(!err){
//redirect to the IdP Logout URL
res.redirect(request);
}
});
This would redirect to idp logout page and you are supposed to give idp a logout callback url. After successful logout Idp would redirect to callback url.
122
answered Jan 19 '26 13:01
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With