node.jsexpresssingle-sign-onpassport.jspassport-saml

Passport saml logout is not working because of callback url


I am using passport saml to logout from IDP here is my code:

    module.exports = function logout(app, samlStrategy, config) {
  app.get('/logout', (req, res) => {


    const { webUser } = req;
    const { role, nameID } = webUser || {};

    if (role === ROLENAME_WEB_USER && nameID) {
      samlStrategy.logout(req, (err, requestUrl) => {
        // redirect to the IdP with the SAML logout request
        console.log(`req url is is:${requestUrl}`);
        res.redirect(requestUrl);
      });
    } else {
      res.redirect(LOGGED_OUT_URL);
    }
  });

  app.post(config.externalSSO.logoutCallbackPath, (req, res) => {
    // console.log('SAML logout callback:');
    // console.log(req);
    res.redirect(LOGGED_OUT_URL);
  });
};

And here is my passport saml config:

loginPath: process.env.EXTERNAL_SSO_LOGIN_PATH,
callbackUrl: process.env.BASE_ADDRESS + process.env.EXTERNAL_SSO_CALLBACK_PATH,
callbackPath: process.env.EXTERNAL_SSO_CALLBACK_PATH,
logoutUrl: process.env.EXTERNAL_SSO_LOGOUT_URL,
// logoutCallbackPath: '/logout/external/callback',
logoutCallbackUrl: process.env.EXTERNAL_SSO_LOGOUT_URL,
metadataPath: `${process.env.EXTERNAL_SSO_LOGIN_PATH}/metadata`,
entryPoint: process.env.EXTERNAL_SSO_ENTRYPOINT,
issuer: process.env.EXTERNAL_SSO_ISSUER,
idpPublicCert: process.env.EXTERNAL_SSO_IDP_CERT,
spPrivateCert: process.env.EXTERNAL_SSO_SP_SIGNING_PRIVATE_KEY,
decryptionPvk: process.env.EXTERNAL_SSO_SP_DECRYPTION_PRIVATE_KEY,
decryptionCert: process.env.EXTERNAL_SSO_SP_DECRYPTION_PUBLIC_KEY,
authnRequestBinding: process.env.EXTERNAL_SSO_AUTHN_REQUEST_BINDING,

The problem is that I tried to get rid of the second api call in the above code because that redirect to LOGGED_OUT_URL stopped my SLO process,so I changed and I deployed on dev env and I got this exception:

 {"error":{"message":"Not found"}}

the wired thing is that still redirect me to the logoutCallbackPath url!


Solution

  • The problem was that passport didn't update sp metadata because of having some problem in generateServiceProviderMetadata( decryptionCert, signingCert ) method. So I updated certs and figured out how to re-generate it.