pitbulk
commented
5 years ago Can you confirm that the LogoutResponse from the IdP is valid and has a Success Status?
You can try to debug the SLO process and see what's going on at the Wordpress site.
Open thht opened 5 years ago
pitbulk
commented
5 years ago Can you confirm that the LogoutResponse from the IdP is valid and has a Success Status?
You can try to debug the SLO process and see what's going on at the Wordpress site.
ghost
commented
5 years ago Hello,
Same issue there.
We are using a F5 reverse proxy as SAML IdP and we have successfully set up the SAML Logon part.
When the user disconnects from the website, we get a redirection to the wp-admin page.
bkno
commented
5 years ago Same issue here. Logout link in WordPress logs user out of IdP (Salesforce) but not WordPress.
When I try the WordPress logout link a second time the WordPress login page is shown with the page wp-login.php?SAMLResponse=[huge string]
pitbulk
commented
5 years ago Can you confirm that Salesforce is returning a LogoutResponse with Success Status? You can use SAMLTracer to record and analyze the LogoutResponse.
bkno
commented
5 years ago On logging out from WordPress it does receive a success status from Salesforce: urn:oasis:names:tc:SAML:2.0:status:Success.
When the HTTP Redirect call is made to the WordPress server, I can see that the Destination attribute is set in the Logout Request element: <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://domain.com/wp-login.php?saml_sls"
However, when I monitor on the WordPress web server, I don't see any requests being made that include the saml_sls query string parameter. The GET parameters that are present are SAMLResponse, RelayState, SigAlg and Signature when it response hits wp-login.php.
I wonder if saml_sls is being stripped out Salesforce side and have suggested the developer on their side uses saml_sls=true in the single logout URL to see if that makes a difference.
bkno
commented
5 years ago Further update. Got it working in Salesforce by using the log out url https://domain.com/wp-login.php?saml_sls=logout. It seems Salesforce strips it out the parameter if it's empty.
ghost
commented
5 years ago Hello @bkno
You legit are my savior.
Thanks to you, my wordpress SAML setup is now working as expected.
If only you knew how many hours, we have lost on this case.
We are using a F5 BIG-IP loadbalancer as SAML identity provider instead of Salesforce but the issue was the same.
Kudos.
ninoskuflic
commented
3 years ago Hi @Nh3xus and @bkno, I'm a little bit late for the party. :)
Could you please let me know where did you put https://domain.com/wp-login.php?saml_sls=logout? In Azure AD > Enterprise Applications > APP-NAME > SSO > Logout Url or somewhere in WordPress?
I have an issue with OneLogin SSO because when the user logs out of the SSO session (SAML), and they refresh the page - they are logged back into WordPress unless they close their browser.
Thanks! :)
wangstein
commented
1 year ago @ninoskuflic hey did you ever figure out your question above? where to put the logout link (https://domain.com/wp-login.php?saml_sls=logout)
hi,
prerequisites:
expected behavior:
observed behavior:
SSO service logout is performed, yet the user is still logged in the wordpress account. clicking on "logout" once more does not do the trick because it simply tries to log out again at the SSO provider.