Auth::SAML logout not performed when using a logout_sso $URL rule when using HTTP-POST binding
Concerned version
Version: 2.0.15
Summary
-
Configure Auth::SAML (IDP must use POST binding for logout)
-
Log in using Auth::SAML
-
Browse to auth.example.com/?logout=1
-
You are logged out from IDP
✅ -
Log in again
-
Browse to auth.example.com/?logout=1&url=[base64(test1.example.com)]
-
You are redirected to test1.example.com
-
But you are not logged out from IDP
❌
Logs
[LLNG:184764] [debug] Processing checkLogout
[LLNG:184764] [debug] Processing authLogout
[debug] Redirect user to http://auth.idp.com/saml/singleLogout using autoPost
[debug] Local handler logout
[notice] User fa@badwolf.org@idp has been disconnected from SAML (127.0.0.1)
[debug] [notice] User fa@badwolf.org@idp has been disconnected from SAML (127.0.0.1)
[debug] Returned status: -2 (PE_REDIRECT)
[debug] Calling autoredirect
[debug] Building redirection to http://test1.example.com
Possible fixes
Fix the way autoPost is detected in deleteSession