Logout redirecting to non-url RelayState

[tymees]

The new RelayState redirect on logout added in #380 will always redirect to the value of RelayState if it's present. However, PySAML2 (and by extension, djangosaml2) by default populates RelayState with some session info when using client.global_logout(). For example: RelayState: id-00eqm9QMmiliORLoO|1693834357|<secret>

Thus, when doing a logout using the default Logout(Init)View, the user will be redirected to a non-existent page.

(Note: I might just be using the library wrong; however, I don't see a provision to even override the RelayState without a custom logout view or saml client?)

Adding a check if the RelayState even remotely resembles a url before redirecting would fix this issue while still allowing custom RelayStates:

def finish_logout(request, response):
[..]
        try:
            next_path = _get_next_path(request)
            next_path = resolve_url(next_path)
        except NoReverseMatch:
            next_path = None

[henrikek]

I have exactly the same problem after upgrading to latest version 1.7. I don't understand how to handle RelayState correctly.

[peppelinux]

I would ask a PR to solve this issue, can you provide that?

Any further information Is useful

[tymees]

Of course, see #388!