Single Logout only leads to logout at the SAML service and at wordpress

[thht]

hi,

prerequisites:

1. the plugin is configured and working. SLO url ist set and SLO is enabled.

expected behavior:

1. user logs in via SSO
2. user is logged in the respective wordpress account
3. user logs out using the wordpress logout link
4. user gets logged out of the SSO
5. user returns to the wordpress page
6. user is also logged out from the wordpress account

observed behavior:

SSO service logout is performed, yet the user is still logged in the wordpress account. clicking on "logout" once more does not do the trick because it simply tries to log out again at the SSO provider.

[pitbulk]

Can you confirm that the LogoutResponse from the IdP is valid and has a Success Status?

You can try to debug the SLO process and see what's going on at the Wordpress site.

[ghost]

Hello,

Same issue there.

We are using a F5 reverse proxy as SAML IdP and we have successfully set up the SAML Logon part.

When the user disconnects from the website, we get a redirection to the wp-admin page.

[bkno]

Same issue here. Logout link in WordPress logs user out of IdP (Salesforce) but not WordPress.

When I try the WordPress logout link a second time the WordPress login page is shown with the page wp-login.php?SAMLResponse=[huge string]

[pitbulk]

Can you confirm that Salesforce is returning a LogoutResponse with Success Status?
You can use SAMLTracer to record and analyze the LogoutResponse.

[bkno]

On logging out from WordPress it does receive a success status from Salesforce: urn:oasis:names:tc:SAML:2.0:status:Success.

When the HTTP Redirect call is made to the WordPress server, I can see that the Destination attribute is set in the Logout Request element: <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://domain.com/wp-login.php?saml_sls"

However, when I monitor on the WordPress web server, I don't see any requests being made that include the saml_sls query string parameter. The GET parameters that are present are SAMLResponse, RelayState, SigAlg and Signature when it response hits wp-login.php.

I wonder if saml_sls is being stripped out Salesforce side and have suggested the developer on their side uses saml_sls=true in the single logout URL to see if that makes a difference.

[bkno]

Further update. Got it working in Salesforce by using the log out url https://domain.com/wp-login.php?saml_sls=logout. It seems Salesforce strips it out the parameter if it's empty.

[ghost]

Hello @bkno

You legit are my savior.

Thanks to you, my wordpress SAML setup is now working as expected.

If only you knew how many hours, we have lost on this case.

We are using a F5 BIG-IP loadbalancer as SAML identity provider instead of Salesforce but the issue was the same.

Kudos.

[ninoskuflic]

Hi @Nh3xus and @bkno, I'm a little bit late for the party. :)

Could you please let me know where did you put https://domain.com/wp-login.php?saml_sls=logout? In Azure AD > Enterprise Applications > APP-NAME > SSO > Logout Url or somewhere in WordPress?

I have an issue with OneLogin SSO because when the user logs out of the SSO session (SAML), and they refresh the page - they are logged back into WordPress unless they close their browser.

Thanks! :)

[wangstein]

@ninoskuflic hey did you ever figure out your question above? where to put the logout link (https://domain.com/wp-login.php?saml_sls=logout)