cicnavi
commented
1 month ago @tft7000 Really great that you've noticed this... It is a know issue and it has to do with how SSP handles logout: https://github.com/simplesamlphp/simplesamlphp/issues/1522
@tvdijen @monkeyiq If you have any feedback on this...
Summary
I am using SimpleSAMLphp as an IdP with the OIDC module (acting as an OP). Several clients (SPs/RPs) are connected to this IdP, some via SAML and others via OIDC. Additionally, in some cases, the IdP also acts as an SP and authenticates users through another remote IdP.
Problem
When logging out via OIDC, the IdP completes the local logout process and redirects to the specified return URL without logging out the associated SPs/RPs or any remote IdP that may have been involved.
Here is the OIDC logout URL I call: https://myidp.tld/ssp/module.php/oidc/logout.php?id_token_hint=XXX&post_logout_redirect_uri=XXX
However, when logging out using SAML Single Logout (SLO), the logout process ensures that all SPs are logged out, including any possible remote IdP, before redirecting to the calling party.
Here is the SAML SLO URL I call: https://myidp.tld/ssp/saml2/idp/SingleLogoutService.php?ReturnTo=XXX
Expected Behavior
Shouldn't the OIDC logout process also trigger the SAML SLO, ensuring that the session is terminated for all clients, both OIDC and SAML?
Version Info
Additional Information
Please let me know if this behavior is intended or if additional configuration is needed to enable SLO for OIDC clients. Any guidance on ensuring a consistent logout experience across both protocols would be greatly appreciated.