SAML2 Single logout ext IDP - using GCIP as SP

[Terrance R]

Hello,

We have Salesforce as Ext IDP and GCIP is used to integrate with ext IDP using SAML2 protocol. GAE resources are protected by GCIP and firebase app is used to perform authentication.

Authentication is working seamlessly, however SIGNOUT is not. Invoking /gcp-iap-mode=GCIP_SIGNOUT on app is showing as signed out however firebase app is reauthenticating user.

Is there is a way to signout user completely so that Idp session as well as GCIP sessions are invalidated and user will be forced to login again?

We do not see any configurable parameter on GCIP SAML2 provider settings to configure signout  url which can take part in SAML2 based logout workflow

[Julio Colino]

Hello,

I took a look to this document [1] and it shows a similar way to sign users out.

I am not sure how you are implementing it.

Feel free so share a bit more background of your use case or if you are following any guide is this doesn't work for you.

[1] https://cloud.google.com/iap/docs/external-identity-sessions#signing_users_out

[Terrance R]

We had looked at the link you shared earlier. We noticed that even after invoking signout url for app, GCIP is reauthenticating and not completely signing out the user because the IDP session is still valid. The behavior is documented in the link as well.

In order to sign the user out of  IDP session, saml response (xml)  is needed which has the session index and all so the same info can be sent to IDP logout request. Since GCIP is acting as SP, the SAML exchange is primarily between IDP and GCIP and wanted to avoid doing any SAML tracing on the browser using SPA.

Any thoughts

[Nahuel Gavilan Bernal]

Sign the user out of IDP session using a SAML2 response  is not presently available. I have filed a feature request to the Identity Platform team so it may be implemented in the future. You can follow the resolution ofthe feature request in this link [1].

[1] https://issuetracker.google.com/issues/180097471