Saml logout not working
Zitadel version: 3.2.0 (latest)
Login v1 and v2 (we are using v2)
Use federate logout checkbox in IDP configuration: checked
Hello, we have multiple saml idps registered. While the login works fine, the logout does not.
When the logout is triggered, the zitadel session is terminated and the user is redirected to the login page, but when logs in again, it is automatically logged in without passing through the idp login.
If the slo endpoint "https://domain.com/idps/123456/saml/slo" is manually executed, a 400 is returned with body "ID=SAML-3uor2 Message=Errors.Intent.NotFound"
As far as we understood, the saml logout should be triggered automatically when the logout in zitadel is clicked.
Are we missing something? Thanks
9 Replies
bump
Dear ZITADEL team, is the following GH issue needed for SAML logout to work out of the box in the use case described by @sagion?
https://github.com/zitadel/zitadel/issues/9980
GitHub
SAML SLO implementation including session termination · Issue #998...
Implement logout as implemented with OIDC zitadel/internal/api/oidc/op.go Line 250 in 046b165 defaultLogoutURLV2: config.DefaultLogoutURLV2, , which should include the logout through terminating th...
hey @Arnau thanks the bump, I will check the status if this issue within the team and see what they have to say
hey @Arnau raised it internally so stefan/other engnineer can comment on the issue/here.
Hello @Rajat do you have any news?
hey @Arnau I will write you back with a response today/tomorrow.
Thanks! 🙏
hey @sagion There is currently no functionality to logout through SAML, that's why they created this issue. There is no WIP feature for now, it's just not there for now. if something changes, I will let you know.
Thanks @Rajat
It's a bit strange to have the checkbox to enable the federated logout for the saml Idp, but the feature is not there 😅
Not sure if we miss understood something from the feature released in v3.2.0 https://github.com/zitadel/zitadel/releases/tag/v3.2.0.
I don't understand how a SAML Federated Logout option is provided in the SAML IdP configuration but then turns out "there is no functionality to logout through SAML".
Tried it out as well with Login V1 console to discard any possible missing fork updates on our Login V2, and does not work either.
I get redirected to:
"/ui/login/logout/externalidp?sessionID=V1_324337516578611013
and our Ingress returns a 502 Bad Gateway. I can also see logs towards refering the location of the ForgeRock IDP endpoint IDPSloRedirect and this cache related errors
time=2025-06-13T12:03:51.539Z level=ERROR source=/home/runner/work/zitadel/zitadel/internal/cache/connector/pg/pg.go:90 msg="pg cache set" cache_purpose=federated_logout err="context canceled"