Cognito logout does not work as documented


I have a Cognito user pool configured with a SAML identity provider (ADFS) and I’m able to sign it as a federated user (AD) but sign out does not work.

Following the documentation, I make a GET request to…ng& (using some public logout uri), from my client (an AngularJS 1.x app), and I get back a 302 with a Location header like

(In fact there I see 2 requests like the above).

When I log back in (thru ADFS) it does not prompt for my AD credentials, i.e. seems that I’m not logged out.

My user pool is configured as described here (see step 7), where the Enable IdP sign out flow is checked, which is supposed to log the user out from ADFS as well.

Any suggestions?


This redirect happens whenever logout_uri parameter doesn’t match exactly what’s listed among Sign out URL(s) in AWS Cognito User Pools App client settings configuration.

Cognito allows logout with either logout_uri or with the same arguments as login (i.e. redirect_uri and response_type) to log out and take the user back to the login screen. It seems that whenever logout_uri is invalid, it assume the re-login flow, does this redirect, and then reports an error about missing login arguments.

As for SAML, I don’t know, but guessing that it doesn’t work because there was actually an error, just not properly reported.

Leave a Reply