SLO not redirecting to specified URL ($auth->logout($returnTo);)

[it-esfl]

Hi there,

is it normal behavior that an SLO with $auth->logout($returnTo); does not redirect to the named URL?
In my case after a successful SLO (sessions are cleared correctly) it just says "Sucessfully logged out" (the URL in the browser in my case is index.php?sls&SAMLResponse=XXX&RelayState=correct_URL&....). So it seems that the URL from RelayState is not applied. Is this a known behavior or possibly a misconfiguration?

Many thanks in advance!

[MitchTalmadge]

We are running into the same issue. Did you find anything?

[farahalrabee2]

i'm facing the same issue , any update ? @it-esfl

[pitbulk]

@it-esfl, @MitchTalmadge, @farahalrabee2

If you are using the code of the demo1

else if (isset($_GET['sls'])) {
    if (isset($_SESSION) && isset($_SESSION['LogoutRequestID'])) {
        $requestID = $_SESSION['LogoutRequestID'];
    } else {
        $requestID = null;
    }

    $auth->processSLO(false, $requestID);
    $errors = $auth->getErrors();
    if (empty($errors)) {
        echo '<p>Sucessfully logged out</p>';
    } else {
        echo '<p>' . htmlentities(implode(', ', $errors)) . '</p>';
        if ($auth->getSettings()->isDebugActive()) {
            echo '<p>'.htmlentities($auth->getLastErrorReason()).'</p>';
        }
    }

Such code in case of success on a SP-initiaited Single Logout process, ends printing the "Sucessfully logged out" that you comment. But this is just a demo.

You could improve the code and take care of the redirection, ideally due UX, first notify the user about the logout action
and then redirecting so for example:

 echo '<p>Sucessfully logged out</p>';
 if (isset($_GET['RelayState'])) {
     // Add code to confirm RelayState is a trusted URL before redirecting
     
    echo '
        <script>
        setTimeout(function () {
            window.location.href="'.$_GET["RelayState"].'";
        },5000);
       </script> 
    '; 
 }