How to use Cognito LOGOUT endpoint to really log out? - amazon-web-services

I'm trying to use Federated Authentication to enable login with Microsoft AD. It works fine and we can login. But when I call LOGOUT endpoint as the documentation says ( https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html ) and try to login again I'm not being redirected to Microsoft page to type my email and password again.
It seems like the email and password I typed are in cache and I just can see this login page again if I clean cache. How can we really logout the user in a way that when he login he needs to type his email and password again ?
Edit: I enabled 'Sing Out Idp Flow' as suggested in the answer but now I'm getting a 400 response saying "Required String parameter client_id is not present"
Does anybody have any clue how to solve this problem ?

You will need to ensure you select 'Enable IdP sign out flow' on your SAML Identity provider in Cognito. After navigating your browser to the logout endpoint, you should then be redirected to the SAML IDP logout aswell.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html
Select Enable IdP sign out flow if you want your user to be logged out
from the SAML IdP when logging out from Amazon Cognito.
Enabling this flow sends a signed logout request to the SAML IdP when
the LOGOUT Endpoint is called.
Configure this endpoint for consuming logout responses from your IdP.
This endpoint uses post binding.

Edit: I enabled 'Sing Out Idp Flow' as suggested in the answer but now I'm getting a 400 response saying "Required String parameter client_id is not present" Does anybody have any clue how to solve this problem ?
You need to include the client_id parameter when calling the logout endpoint, the parameter is specified as required in the documentation you provided. The client id can be found in AWS Cognito console in User pools > Your User pool name > App Integration > Your app client name and you should see a Client ID there.

Related

Wso2 IS SMS OTP returns 401 page after login

Wso2 IS 5.10.0 I have configured basic auth and sms otp. I wanted to trigger basic auth using url like below without login page(skipping login page with authentication at backend with the username and password provided).
https://192.168.1.10:9448/oauth2/authorize?client_id=USER_PORTAL&code_challenge=KmuKeL_V3Gc5rRp9zEQeK0SFMrHZU25lLyrtnr8uekE&code_challenge_method=S256&commonAuthCallerPath=/oauth2/authorize&forceAuth=false&passiveAuth=false&redirect_uri=https://192.168.1.10:9448/user-portal/login&response_type=code&scope=internal_login+internal_humantask_view+openid&relyingParty=USER_PORTAL&type=oidc&sp=User+Portal&isSaaSApp=false&username=test&password=test#123
The login is successful but after that smsotp page is throwing 401 error even after authentication. But same thing is working if I am login with login page(mobile sms otp page will be shown successfully). I am not getting what is wrong.
EDIT:
After login it is routing to sms otp page like below.
https://192.168.1.10:9448/oauth2/smsotpauthenticationendpoint/smsotp.jsp?client_id=USER_PORTAL&code_challenge=KmuKeL_V3Gc5rRp9zEQeK0SFMrHZU25lLyrtnr8uekE&code_challenge_method=S256&commonAuthCallerPath=%2Foauth2%2Fauthorize&forceAuth=false&isSaaSApp=false&passiveAuth=false&redirect_uri=https%3A%2F%2F192.168.1.10%3A9448%2Fuser-portal%2Flogin&response_type=code&scope=internal_login+internal_humantask_view+openid&sp=User+Portal&tenantDomain=carbon.super&sessionDataKey=c23b62da-3031-44fd-892c-5cff2e62db58&relyingParty=USER_PORTAL&type=oidc&sp=User+Portal&isSaaSApp=false&authenticators=SMSOTP
This invalid URL (/oauth2/smsotpauthenticationendpoint/..) is generated due to relative URLs configured for the following properties (in deployment.toml). To address it, you can update them with a slash at the beginning as below.
[authentication.authenticator.sms_otp.parameters]
SMSOTPAuthenticationEndpointURL= "/smsotpauthenticationendpoint/smsotp.jsp"
SMSOTPAuthenticationEndpointErrorPage= "/smsotpauthenticationendpoint/smsotpError.jsp"
MobileNumberRegPage = "/smsotpauthenticationendpoint/mobile.jsp"

WSO2 Logout ID token signature validation failed

I want to logout from my service provider saas registered in wso2.
I'm login with tenant user es. tenant#domain.com;
When I make the logout request "https://:9443/oidc/logout?id_token_hint=&post_logout_redirect_uri=" it response with this error:
"ID token signature validation failed."
I've check "Use tenant domain in local subject identifier" option in service provider
There's couple of things that could've gone wrong here. First, the entered id_token_hint param could be expired or invalid. How did you obtain the IDToken in this case?
Second, have you registered the post_logout_redirect_uri in the SP configurations in the IdP? Follow this to verify if the post_logout_redirect_uri is configured properly in the IdP. https://is.docs.wso2.com/en/5.9.0/learn/openid-connect-logout-url-redirection/

WSO2IS-5.7.0 OIDC SSO logout without id_token_hint

I am working with OIDC and WSo2IS-5.7.0. I Want to implement rp initiated global logout (I want to terminate the session from RP and as well as OP or WSO2 in my case.) When user clicks on logout button, I am redirecting the user to this URL :
https://myserver:9443/oidc/logout?id_token_hint=<idtoken>&post_logout_redirect_uri=https://myotherserver.com/myapp/index
It is working fine and user is redirected to login page of wso2. My client consider it not secure and want to do the same without being send id_token to front end. Is it possible with wso2is-5.7.0?
If yes, how?
If no, isn't it insecure that we send id token to FE? anyone can use it to make API call?
It is not possible. In WSO2 implementation we use the id_token_hint to extract the client_id from the id_token (sent as the id_token_hint). This is necessary to retrieve the service provider information for which the id_token was issued to.
Otherwise we don't have a way to validate whether the value sent in post_logout_redirect_uri is a registered callback for the service provider.
So if we omit the id_token_hint, we cannot validate the post_logout_redirect_uri sent which will open up another security hole allowing redirection to untrusted uris.

AWS AUTHORIZATION endpoint redirecting to LOGIN endpoint

In AWS, I have a User Pool.
That user pool has a user.
That user pool has an App client, with App Client Id of MY-CLIENT-ID.
That App client is enabled as an identity provider for the cognito user pool, has a callback url of https://MY_APP/redirect_uri, has only "Authorization code grant" checked under "Allowed OAuth Flows" and "email" and "openid" checked under "Allowed OAuth Scopes".
That user pool has a domain name of MY-DOMAIN.
When I navigate to
https://MY-DOMAIN.auth.us-east-1.amazoncognito.com/login?
response_type=code&
client_id=MY-CLIENT-ID&
redirect_uri=https://MY_APP/redirect_uri
I am redirected to the default Cognito login screen, and can successfully authenticate with my User pool user. After authenticating, I am redirected to
https://MY_APP/redirect_uri?code=AUTHORIZATION_CODE
However, when I navigate (either via browser or curl) to
https://MY-DOMAIN.auth.us-east-1.amazoncognito.com/oauth2/authorize?
response_type=code&
client_id=MY-CLIENT-ID&
redirect_uri=https://MY_APP/redirect_uri
where I expect
HTTP/1.1 302 Found
Location: https://MY_APP/redirect_uri?code=AUTHORIZATION_CODE
instead, I'm receiving
HTTP/1.1 302 Found
Location: https://MY-DOMAIN.auth.us-east-1.amazoncognito.com/login?
response_type=code&
client_id=MY-CLIENT-ID&
redirect_uri=https://MY_APP/redirect_uri
which (obviously) redirects me to the login page.
I'm certain I've overlooking something obvious, but cannot figure out what it is.
Ref: https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
Do you expect from Cognito to provide SSO? Apparently Cognito is not working that way.
As far I have my experience, with new authentication request the user will be indeed redirected to the login form. If the user is already having a web session (cookie), there is option to continue with existing user session or reauthenticate.
After that (reauthenticatation) the user is redirected to the callback redirect_uri

wso2 - Does wso2 identity server support IDP initiated logout from federated IDP?

We are using WSO2 Identity Server 5.3.0. I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service provider (symbolic name "SP1"). Then I configured second trust between WSO2 acting as a service provider ("SP2") and federated IDP (symbolic name "IDP2", some public/gov service). SP1 protects some resources, access to them is granted only when users are authenticated to IDP2. Everything is based on SAML protocol.
Login works fine - login requests are redirected from WSO2(=IDP1) to IDP2.
IDP1 initiated logout works fine too.
But IDP2 initiated logout fails with message (in a browser): "Attention: Something went wrong during the authentication process. Please try signing in again." It generates the record to the WSO2 log: "{...DefaultRequestCoordinator} Context does not exist. Probably due to invalidated cache".
During the IDP2 initiated logout correct LogoutRequest is sent to WSO2 (https://amsrv.mydomain.org:9443/commonauth).
Does WSO2 support such scenario (IDP2 initiated logout)?
SLO is working based session ID. You cannot invalidate a session that is not recognized by the IDP.
Your log seens to indicate that the context [pointed by the session id provided in the SLO request] does not exist so cannot be terminated.
Please deactivate Ciphering on the flow, put a Wireshark and look at it. WSO2IS is providing a screen in user dahsboard to see which session are open and with which ids.
I suspect that IdP2 is sending the session ID of the session between Client and IdP2... not the session ID of session between Client and IdP1.
Jeff