Nodejs SAML logout not working passport-saml+adfs

1
votes

I'm trying SSO integration for my application with passport-saml and currently able to authenticate successfully with ADFS as IDP. Logout does not work as expected. It removes the local cookie but not adfs specific cookie after logout.

Logout is done as mentioned in this post and it successfully does a GET redirect to the application endpoint from metadata SLO in ADFS side. But still the logout does not happen in ADFS.

Also referred this post for SLO to work and it is generating HTTP-redirect binding for logout request in saml by default.

The issue that i'm facing is the same as mentioned in this post.

Pls let me know if some step is missed on logout.

Thanks for your help in advance !

1
node.jscookiespassport.jssaml-2.0adfs2.0

1 Answers

0
votes

Logout fix for ADFS is as follows,

Session index attribute was missing and was to be added as part of passport-saml logout request.

Debugged using the ADFS logs (Event viewer) and error below,

The SAML Single Logout request does not correspond to the logged-in session participant. Requestor: app.yyy.com
Request name identifier: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, NameQualifier: SPNameQualifier: , SPProvidedId: Logged-in session participants: Count: 1, [Issuer: app.yyy.com, NameID: (Format: , NameQualifier: SPNameQualifier: , SPProvidedId: )]

This request failed.

It meant that nameIDFormat should be left empty in my case for logging out the session. Previously was using nameIDFormat that was specified for authentication request and it did not work.

HTTP-POST binding did not make any difference without this config.

Hope this helps for someone else who is trying the same.