Question:
I have a Cognito user pool configured with a SAML identity provider (ADFS) and I’m able to sign it as a federated user (AD) but sign out does not work.
Following the documentation, I make a GET request to
https://my-domain.auth.us-west-2.amazoncognito.com/logout?client_id=63…ng&logout_uri=http:%2F%2Fyahoo.com (using some public logout uri), from my client (an AngularJS 1.x app), and I get back a 302 with a Location header like
|
1 2 |
https://my-domain.auth.us-west-2.amazoncognito.com/login?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com |
(In fact there I see 2 requests like the above).
When I log back in (thru ADFS) it does not prompt for my AD credentials, i.e. seems that I’m not logged out.
My user pool is configured as described here (see step 7), where the Enable IdP sign out flow is checked, which is supposed to log the user out from ADFS as well.
Any suggestions?
Thanks.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
General ------- Request URL: https://my-domain.auth.us-west-2.amazoncognito.com/logout?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com Request Method: GET Status Code: 302 Remote Address: 54.69.30.36:443 Referrer Policy: no-referrer-when-downgrade Response Headers ---------------- cache-control: private content-length: 0 date: Fri, 20 Apr 2018 21:31:12 GMT expires: Thu, 01 Jan 1970 00:00:00 UTC location: https://my-domain.auth.us-west-2.amazoncognito.com/login?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com server: Server set-cookie: XSRF-TOKEN=...; Path=/; Secure; HttpOnly set-cookie: XSRF-TOKEN=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly status: 302 strict-transport-security: max-age=31536000 ; includeSubDomains x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 1; mode=block Request Headers --------------- :authority: my-domain.auth.us-west-2.amazoncognito.com :method: GET :path: /logout?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com :scheme: https accept: application/json, text/plain, */* accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9 authorization: Bearer eyJra... cache-control: no-cache origin: https://localhost:8443 pragma: no-cache referer: https://localhost:8443/logout user-agent: Mozilla/5.0... |
Answer:
This redirect happens whenever logout_uri parameter doesn’t match exactly what’s listed among Sign out URL(s) in AWS Cognito User Pools App client settings configuration.
Cognito allows logout with either logout_uri or with the same arguments as login (i.e. redirect_uri and response_type) to log out and take the user back to the login screen. It seems that whenever logout_uri is invalid, it assume the re-login flow, does this redirect, and then reports an error about missing login arguments.
As for SAML, I don’t know, but guessing that it doesn’t work because there was actually an error, just not properly reported.