Cognito logout does not work as documented

amazon-web-services adfs cognito
sharpthor picture sharpthor · Apr 20, 2018 · Viewed 12.5k times · Source

I have a Cognito user pool configured with a SAML identity provider (ADFS) and I'm able to sign it as a federated user (AD) but sign out does not work.

Following the documentation, I make a GET request to https://my-domain.auth.us-west-2.amazoncognito.com/logout?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com (using some public logout uri), from my client (an AngularJS 1.x app), and I get back a 302 with a Location header like 

https://my-domain.auth.us-west-2.amazoncognito.com/login?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com

(In fact there I see 2 requests like the above).

When I log back in (thru ADFS) it does not prompt for my AD credentials, i.e. seems that I'm not logged out.

My user pool is configured as described here (see step 7), where the Enable IdP sign out flow is checked, which is supposed to log the user out from ADFS as well.

Any suggestions? Thanks.

General
-------
Request URL: https://my-domain.auth.us-west-2.amazoncognito.com/logout?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com  
Request Method: GET  
Status Code: 302  
Remote Address: 54.69.30.36:443  
Referrer Policy: no-referrer-when-downgrade  

Response Headers
----------------
cache-control: private  
content-length: 0  
date: Fri, 20 Apr 2018 21:31:12 GMT  
expires: Thu, 01 Jan 1970 00:00:00 UTC  
location: https://my-domain.auth.us-west-2.amazoncognito.com/login?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com  
server: Server  
set-cookie: XSRF-TOKEN=...; Path=/; Secure; HttpOnly  
set-cookie: XSRF-TOKEN=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly  
status: 302  
strict-transport-security: max-age=31536000 ; includeSubDomains  
x-content-type-options: nosniff  
x-frame-options: DENY  
x-xss-protection: 1; mode=block  

Request Headers
---------------
:authority: my-domain.auth.us-west-2.amazoncognito.com  
:method: GET  
:path: /logout?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com  
:scheme: https
accept: application/json, text/plain, */*  
accept-encoding: gzip, deflate, br  
accept-language: en-US,en;q=0.9  
authorization: Bearer eyJra...  
cache-control: no-cache  
origin: https://localhost:8443  
pragma: no-cache  
referer: https://localhost:8443/logout  
user-agent: Mozilla/5.0...

Answer

DS. picture DS. · Jul 6, 2018

This redirect happens whenever logout_uri parameter doesn't match exactly what's listed among Sign out URL(s) in AWS Cognito User Pools App client settings configuration.

Cognito allows logout with either logout_uri or with the same arguments as login (i.e. redirect_uri and response_type) to log out and take the user back to the login screen. It seems that whenever logout_uri is invalid, it assume the re-login flow, does this redirect, and then reports an error about missing login arguments.

As for SAML, I don't know, but guessing that it doesn't work because there was actually an error, just not properly reported.

Related questions

Permission denied (publickey) when SSH Access to Amazon EC2 instance

I want to use my Amazon ec2 instance but faced the following error: Permission denied (publickey). I have created my key pair and downloaded .pem file. Given: chmod 600 pem file. Then, this command ssh -i /home/kashif/serverkey.pem ubuntu@…

Read More
Trying to SSH into an Amazon Ec2 instance - permission error

This is probably a stupidly simple question to some :) I've created a new linux instance on Amazon EC2, and as part of that downloaded the .pem file to allow me to SSH in. When I tried to ssh with: ssh …

Read More
Downloading an entire S3 bucket?

I noticed that there doesn't seem to be an option to download an entire S3 bucket from the AWS Management Console. Is there an easy way to grab everything in one of my buckets? I was thinking about making the …

Read More