I have created a connected App in salesforce end, and using passport saml to provide SSO to several nodeJs applications based on expressJs.
SSO is working fine.
However when I logout from salesforce, I can still login to the applications.
I believe that this has something to do with cookies. Is there any way to watch a salesforce cookie and logout when it is invalidated?
Or is there any way to send a call from salesforce to one of my routes when a logout is initiated?
You can validate the auth token(salesforce or whatever) before serving the static files.
However, if you are building a SPA, then you will need to validate the session in the frontend code(which runs on the browser) as well.
Otherwise, your approach will not work when the browser performs caching and when you are saving data to the browser's local storage from your SPA.
The solution is to validate the salesforce auth token before serving the web application from NodeJs. In other words, the NodeJs backend application will validate the corresponding salesforce session using the salesforce sessionId token received when logging in using the jsforce.connection.login interface. If the session is no longer valid, the passportJs session should be invalidated using req.logout() method
