Ir para o conteúdo
Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post
sobre o re:Post

Amazon Cognito /saml2/logout endpoint returns 400 response

0

Hi,

I have created a user pool in Amazon Cognito with external identity provider (Microsoft Enterprise Application) using SAML. I have followed this blog (https://aws.amazon.com/blogs/security/how-to-set-up-amazon-cognito-for-federated-authentication-using-azure-ad/) and established federated identities between my enterprise application and user pool. I was successfully able to login using the enterprise registered user information.

Identity Provider Configuration:

  • Provider Type: SAML
  • SAML Signing and encryption: Sign SAML requests to this provider Note: Encryption is not enabled.
  • Sign-out flow: Enabled

User pool Configuration:

  • Domain: Cognito Domain
  • MfaConfiguration: Disabled
  • OAuth grant types: Authorization code grant

Above are the notable configuration from my end for the audience.

Im trying to establish the sign-out flow for the user pool. As per the documentation, I have downloaded the signing certificate from user pool and uploaded in the Microsoft enterprise application (Verification certificate). I have also enabled the sign-out flow in the identity provider configuration. I have updated the sign-out URL in the Single Sign On configuration with Cognito Domain & endpoint /saml2/logout

I have used Amplify and tried Sign-out. Used Amplify Auth library (.signOut) method. As expected it was able to logout from userpool and Idp. Eventually Idp redirects using the endpoint provided /saml2/logout with query string parameters such as SAMLResponse, RelayState, Signature and SigAlg.

Note: I was successfully able to logout from user pool. I would like extend this functionality to my Idp as well.

Issue. The redirected endpoint /saml2/logout is always resulted in 400 Bad request. 400 Bad request when its redirecting to the above endpoint from IDP

Above part, I have tried with Flask as backend server by redirecting <cognito-domain> with logout endpoint with query string parameters response_code, client_id and logout_uri. I am facing exact same issue here as well.

Any suggestions/ solutions / directions would be much appreciated.

Thank you very much in advance.

Tópicos
Segurança, identidade e conformidade
Tags
Identidades federadas do Amazon CognitoAmazon CognitoGrupos de usuários do Amazon Cognito
Idioma
English
feita há 2 anos1,6 mil visualizações
2 Respostas
0

Ended up answering my own question :)

I'm actually new to these SAML assertion.

In AWS Documentation w.r.t to Sign-out flow for SAML Identity provider, It was mentioned to configure the Sign-out URL in Identity provider <cognito-domain> with /saml2/logout. From Logging & Monitoring section of Amazon Cognito, I was able to found and understand /saml2/logout endpoint only supports POST request. Please refer the below screenshot

SAML2Logout_POST event

For Microsoft documentation, I came to know SLO (Single Logout) only supports HTTP GET binding. (Not HTTP POST). https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-out-saml-protocol

To confirm this behavior, as it was not explicitly mentioned anywhere. I have used auth0 as an external identity provider and configured one more identity provider. (As auth0 supports both HTTP-Redirect (GET) & HTTP-POST bindings.

1, Logout behavior with HTTP-POST binding.

  • When the sign-out flow is enabled with SAML Signing certificate (From Amazon Cognito). As expected it was able to logout from User pool and auth0 identity provider. Please find the below image. HTTP POST Binding auth0

2, Logout behavior was 400 Bad response with HTTP-Redirect binding.

  • When sign-out was performed with HTTP-Redirect binding, it always results in 400 Bad response. HTTP Redirect Binding auth0

Logout -> 400 Bad Response 400 Bad response when performing logout with Sign-out flow enabled

Please review this answer and help me conclude this issue.

Also, Looking for any solution to avoid this issue like If this can be mitigated by adding an intermediate FORM/ Route to make a request with POST Method. Or any other approach to handle this behavior to perform logout from Identity provider.

Thanks in Advance.

respondido há 2 anos
  • nareshc3
    há 2 anos

    Would be accepting this answer, once its reviewed and acknowledged by AWS

0

I'm having the same issue with the logout, where Cognito expects a POST for the logout URL, but Microsoft Entra ID is doing a GET.

Are there any plans to support GET callback in Cognito for the logout URL?

respondido há 6 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Conteúdo relevante