Logout response to idP initiated SLO

[PaulaSazonov]

How to return a logout response to a logout request from idP? I have an idP that requires this as part of the SLO process, and after multiple attempts and going through the source code and documentation, I have not found out how to do this. Any advice would be much appreciated!

[srd90]

passport-saml's incoming LogoutRequest handling implementation is not spec compliant (it is unable to terminate SP side session using only information provided in LogoutRequest).
Furthermore it may leave SP side sessions open (if IdP and SP are at different domains and if/when webapplication's session cookie is not delivered due various reasons to webapplication) EVEN THOUGH it shall always report to IdP that session at SP side was successfully terminated which means that end user may see false information at IdP's logout tracking page.

See issue #419 for further information.

tl;dr; you should not use passport-saml's current SLO handling implementation at all if your IdP is at different domain than your SP. LogoutRequest from IdP to SP over POST binding is especially dangerous/problematic.

UPDATE: answer to your specific question can be found from the test code at aforementioned linked issue which contains passport-saml enabled webapplication with endpoint which handle e.g. LogoutRequest via POST binding. See initializeSAMLSPApp():

...
app.post(SP_SIDE_SINGLE_LOGOUT_SERVICE_ENDPOINT, passport.authenticate("saml", {} ));
...

i.e. it delegates IdP initiated LogoutRequest over POST binding handling to passport.authenticate(...) and at the end of the day LogoutRequest ends up being handled by passport-saml's internal incoming LogoutRequest handling implementation which

1. shall call req.logout without checking whether session was even authenticated and just assumes that request is being handled in the context of correct session
2. shall generate LogoutResponse with status code Success even if there was not authenticated session available during LogoutRequest processing e.g. due reasons described at the linked issue

[PaulaSazonov]

Thank you @srd90 for the insight, much appreciated! Still have not managed to produce a working solution, but it is good to know if the library's implementation is not spec compliant. Also have tried suggestions provided in issue #221, but to no success. Would be great if the documentation offered some more information on the logout process!

[PaulaSazonov]

I was able to solve my problem returning a LogoutResponse, and thought I'd share in case someone else is struggling with the same thing: I had configured my strategy authnRequestBinding: 'HTTP-POST' and skipRequestCompression: true, and this caused issues with the redirect endpoints (including a problem with strategy.logout()). Using a strategy without these flags set solved these issues, and I was able to return a valid LogoutResponse to the IdP. I would say this issue relates to #241, which was why the skipRequestCompression: true flag was set in the first place.

[markstos]

Closing as dupe of #419.