Amazon Cognito /saml2/logout endpoint returns 400 response
Hi,
I have created a user pool in Amazon Cognito with external identity provider (Microsoft Enterprise Application) using SAML. I have followed this blog (https://aws.amazon.com/blogs/security/how-to-set-up-amazon-cognito-for-federated-authentication-using-azure-ad/) and established federated identities between my enterprise application and user pool. I was successfully able to login using the enterprise registered user information.
Identity Provider Configuration:
- Provider Type: SAML
- SAML Signing and encryption: Sign SAML requests to this provider Note: Encryption is not enabled.
- Sign-out flow: Enabled
User pool Configuration:
- Domain: Cognito Domain
- MfaConfiguration: Disabled
- OAuth grant types: Authorization code grant
Above are the notable configuration from my end for the audience.
Im trying to establish the sign-out flow for the user pool. As per the documentation, I have downloaded the signing certificate from user pool and uploaded in the Microsoft enterprise application (Verification certificate). I have also enabled the sign-out flow in the identity provider configuration. I have updated the sign-out URL in the Single Sign On configuration with Cognito Domain & endpoint /saml2/logout
I have used Amplify and tried Sign-out. Used Amplify Auth library (.signOut) method. As expected it was able to logout from userpool and Idp. Eventually Idp redirects using the endpoint provided /saml2/logout with query string parameters such as SAMLResponse, RelayState, Signature and SigAlg.
Note: I was successfully able to logout from user pool. I would like extend this functionality to my Idp as well.
Issue.
The redirected endpoint /saml2/logout is always resulted in 400 Bad request.
Above part, I have tried with Flask as backend server by redirecting <cognito-domain> with logout endpoint with query string parameters response_code, client_id and logout_uri. I am facing exact same issue here as well.
Any suggestions/ solutions / directions would be much appreciated.
Thank you very much in advance.
- Newest
- Most votes
- Most comments
Ended up answering my own question :)
I'm actually new to these SAML assertion.
In AWS Documentation w.r.t to Sign-out flow for SAML Identity provider, It was mentioned to configure the Sign-out URL in Identity provider <cognito-domain> with /saml2/logout.
From Logging & Monitoring section of Amazon Cognito, I was able to found and understand /saml2/logout endpoint only supports POST request. Please refer the below screenshot
For Microsoft documentation, I came to know SLO (Single Logout) only supports HTTP GET binding. (Not HTTP POST).
https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-out-saml-protocol
To confirm this behavior, as it was not explicitly mentioned anywhere.
I have used auth0 as an external identity provider and configured one more identity provider. (As auth0 supports both HTTP-Redirect (GET) & HTTP-POST bindings.
1, Logout behavior with HTTP-POST binding.
- When the sign-out flow is enabled with SAML Signing certificate (From Amazon Cognito). As expected it was able to logout from User pool and
auth0identity provider. Please find the below image.
2, Logout behavior was 400 Bad response with HTTP-Redirect binding.
- When sign-out was performed with
HTTP-Redirectbinding, it always results in 400 Bad response.
Logout -> 400 Bad Response
Please review this answer and help me conclude this issue.
Also, Looking for any solution to avoid this issue like If this can be mitigated by adding an intermediate FORM/ Route to make a request with POST Method. Or any other approach to handle this behavior to perform logout from Identity provider.
Thanks in Advance.
Relevant content
- asked 4 years ago
AWS OFFICIALUpdated 8 months ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
Would be accepting this answer, once its reviewed and acknowledged by AWS