[IdP] Logout error

[IdP] Logout error

  
Forge Component
(26)
Published on 4 Jul by Telmo Martins
26 votes
Published on 4 Jul by Telmo Martins

Hi,

I am able to login and access the applications with the AzureAD/Office365 email and password.

When I click logout it is deleting the name of the user (in the Users eSpaces, in the user's registry), and per consequence in the app's header next to the logout button,  and redirects to the "Invalid Permissions" screen.

If I click in the app logo, it then goes to the main page (still not showing the users name).

If I go to the Users eSpace and fill in the name of the user and then refresh the app in the browser it shows the name again.

It's no really logging out.

In the IdP -> Configurations -> IdP server settings -> IdP Server Single Logout URL , I have https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

What am I missing?


Hi Nelson,

Did you confirm that's the correct logout URL for SAML? That URL is not only for WS-Fed protocol?

Regards

Telmo Martins wrote:

Hi Nelson,

Did you confirm that's the correct logout URL for SAML? That URL is not only for WS-Fed protocol?

Regards


Hello Telmo, I have configured the values that show up on Azure's page :



I've double checked the post from David Farinha https://www.outsystems.com/forums/discussion/36557/idp-sample-configurations-onelogin-azure/ and now everything is configured as he suggested (he has the logout url equal to the login url).


But I still get the same error.



The wierd part is, if I go to https://<myServer>/idp/logout.aspx it successfully goes to the Microsoft webpage saying my session is logged off.

But from my app it never goes here...

And if I try to access the app after, it goes to the Microsoft login page, as it should.

I just don't seem to understand is why after calling the IdP_SingleLogout_Url (/ldp/logout.aspx) it doesn't redirect to Microsoft's "looged out" page, but instead it's going to the NoPermission page again and then to the IdP_SSO_URL again, so it just logs in again.

Hi Nelson,

I understood that if you click Logout on your web app, and you are redirected to NoPermission.aspx instead of azure webpage saying you are logged off, is that correct?


Have in mind that you can never execute/call DoLogout from your app, IdP connector (and only it) will do the OS DoLogout (otherwise you will not be redirected to IdP server logout page)

Regards

Telmo Martins wrote:

Hi Nelson,

I understood that if you click Logout on your web app, and you are redirected to NoPermission.aspx instead of azure webpage saying you are logged off, is that correct?


Have in mind that you can never execute/call DoLogout from your app, IdP connector (and only it) will do the OS DoLogout (otherwise you will not be redirected to IdP server logout page)

Regards

Hi Telmo, that's correct, I'm calling both actions.

I will remove the OS's DoLogout and test again.

I'll let you know of the outcome.


Nelson André wrote:

Telmo Martins wrote:

Hi Nelson,

I understood that if you click Logout on your web app, and you are redirected to NoPermission.aspx instead of azure webpage saying you are logged off, is that correct?


Have in mind that you can never execute/call DoLogout from your app, IdP connector (and only it) will do the OS DoLogout (otherwise you will not be redirected to IdP server logout page)

Regards

Hi Telmo, that's correct, I'm calling both actions.

I will remove the OS's DoLogout and test again.

I'll let you know of the outcome.


Telmo,

After removing the OS's DoLogout it's working!

It does redirect to Microsoft's logged out page now.


There's only one "small" thing happening that I reported in the original message.

When I log in, the name and email fields in the USER eSpace are cleaned.

I've tested it several times:

1 - Go to User eSpace page and fill in all fields for the user I'm using

2 - Access app, login in Microsoft's page

3 - In the app, upper right corner, the name of the user does not show

4 - Check in User eSpace page, name and email fields are empty

5 - Fill them in again 

6 - Refresh app, the user name shows in the upper right corner 

7 - Do log out

8 - Check in Users eSpace page, name and email fields are still filled in 


For what I see, in the preparation of the Idp screen there's an action "User_Check" that does an update to the USER table. 

The values it uses are always empty and are retrieved in the "SAML_Response_Process\DataToUserData" action from the "Config_UserMappings" table.


Is there any configuration missing?

Thanks.



Solution

Hi Nelson,

Yes, by default those fields will be set based on the assertion data. If are empty on the assertion will be also cleared on OS side. If that information is supposed to be in the assertion, then probably the Claims mapping is wrong on the configuration.

If not and you want to handle those fields it by yourself, then you need to do a small customization on the component to not set those fields on that action User_Check.

Regards

Solution

Telmo Martins wrote:

Hi Nelson,

Yes, by default those fields will be set based on the assertion data. If are empty on the assertion will be also cleared on OS side. If that information is supposed to be in the assertion, then probably the Claims mapping is wrong on the configuration.

If not and you want to handle those fields it by yourself, then you need to do a small customization on the component to not set those fields on that action User_Check.

Regards

Telmo, I just kept the update to Last_Login and now it's working fine.

Thanks.