SAML add-on does not perform an SP initiated logout?

b.tel · November 22, 2022, 2:08pm

Hi,

It seems to us that the SAML add-on does not support / implement a so-called ‘SP initiated logout’. See link for documentation from the Spring SAML library.

We use the SAML add-on a lot and we now find ourselves stuck for a customer that requires this ‘SP initiated logout’ to work.

As such we have a few questions:

Can you confirm that the SAML add-on does support SP initiated logout or not?
If it does support it; what should be done / configured for it to work? We tried triggering the /saml/logout but although there was a logout on the application itself, the IDP still considered the user to be logged in and was thus immediately granted access once more.
If it does not support it; are you planning to support it or can you provide any information for us to try and resolve this ourselves? Based on the previously mentioned documentation (see link above) we are willing to extend / override certain functions in the add-on but at this point we find it hard to know what to do or where to start.

Any help appreciated!

Kind regards,
-b

b.tel · November 23, 2022, 2:55pm

Ok, we have found the solution. Apparently we had this property configured to false where it needs to be true to enable this behaviour:

cuba.addon.saml.ssoLogout = true

We have completely overlooked this option. Also because it was misspelled in our configuration.

Apologies for asking your support for something that we should have resolved ourselves before contacting you.

-b