Closed tymees closed 8 months ago
I have exactly the same problem after upgrading to latest version 1.7. I don't understand how to handle RelayState correctly.
I would ask a PR to solve this issue, can you provide that?
Any further information Is useful
Of course, see #388!
The new RelayState redirect on logout added in #380 will always redirect to the value of RelayState if it's present. However, PySAML2 (and by extension, djangosaml2) by default populates RelayState with some session info when using
client.global_logout()
. For example:RelayState: id-00eqm9QMmiliORLoO|1693834357|<secret>
Thus, when doing a logout using the default
Logout(Init)View
, the user will be redirected to a non-existent page.(Note: I might just be using the library wrong; however, I don't see a provision to even override the RelayState without a custom logout view or saml client?)
Adding a check if the
RelayState
even remotely resembles a url before redirecting would fix this issue while still allowing custom RelayStates: