authenticationamazon-cognitologoutgoogle-workspacesingle-logout

Google Workspace + AWS Cognito | Single Logout using SAML Integration


I am working on integrating AWS Cognito with my front-end web application, using Google Workspace as the SAML Idp. I'm using the Authentication Code Flow with PKCE, and I am able to successfully authenticate and retrieve my id + access + refresh tokens.

The problem I am running into is that when I hit the <user-pool-domain>/logout endpoint (with client_id and logout_uri), the logout flow appears to succeed and redirects to my logout callback. However, if I then try to login again - it bypasses Google Workspace and immediately authenticates successfully. So for whatever reason, the logout flow is not correctly ending the user's session with Google Workspace...

If I try <user-pool-domain>/saml2/logout (again passing in client_id and logout_uri as url parameters) then I get an error page that just says "An error was encountered with the requested page"

I have enabled the Signout flow under the Idp configuration in Cognito.

Am I missing additional configuration? Any ideas how to debug this?


Solution

  • After spending the weekend working on this, I've found an acceptable solution:

    1. When the user wants to logout, first send a request to AWS Cognito to revoke the user's tokens via /oauth2/revoke (see https://docs.aws.amazon.com/cognito/latest/developerguide/revocation-endpoint.html)
    2. Next redirect the user to AWS Cognito's logout endpoint /logout (see https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html)

    While this won't log the user out of Google (since Google does not support the SAML2 Single Logout flow...) it will properly end AWS Cognito's session with Google such that if you then logout of Google and then attempt to login again by redirecting to the AWS Cognito /login endpoint, the user will be forced to re-authenticate with Google!

    Why AWS Cognito doesn't already revoke the user's tokens upon invoking the standard /logout endpoint I don't know... Seems like a bug on AWS' side... Should probably be documented somewhere if this is expected behavior.