- Newest
- Most votes
- Most comments
Ended up answering my own question :)
I'm actually new to these SAML assertion.
In AWS Documentation w.r.t to Sign-out flow for SAML Identity provider, It was mentioned to configure the Sign-out URL in Identity provider <cognito-domain> with /saml2/logout
.
From Logging & Monitoring section of Amazon Cognito, I was able to found and understand /saml2/logout
endpoint only supports POST
request. Please refer the below screenshot
For Microsoft documentation, I came to know SLO (Single Logout) only supports HTTP GET
binding. (Not HTTP POST
).
https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-out-saml-protocol
To confirm this behavior, as it was not explicitly mentioned anywhere.
I have used auth0
as an external identity provider and configured one more identity provider. (As auth0
supports both HTTP-Redirect
(GET) & HTTP-POST
bindings.
1, Logout behavior with HTTP-POST
binding.
- When the sign-out flow is enabled with SAML Signing certificate (From Amazon Cognito). As expected it was able to logout from User pool and
auth0
identity provider. Please find the below image.
2, Logout behavior was 400 Bad response with HTTP-Redirect
binding.
- When sign-out was performed with
HTTP-Redirect
binding, it always results in 400 Bad response.
Logout -> 400 Bad Response
Please review this answer and help me conclude this issue.
Also, Looking for any solution to avoid this issue like If this can be mitigated by adding an intermediate FORM/ Route to make a request with POST Method. Or any other approach to handle this behavior to perform logout from Identity provider.
Thanks in Advance.
Relevant content
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Would be accepting this answer, once its reviewed and acknowledged by AWS