Skip to content

Bugfix saml logout#4315

Open
SoniaComp wants to merge 2 commits intocloudera:masterfrom
SoniaComp:bugfix-saml-logout
Open

Bugfix saml logout#4315
SoniaComp wants to merge 2 commits intocloudera:masterfrom
SoniaComp:bugfix-saml-logout

Conversation

@SoniaComp
Copy link
Contributor

@SoniaComp SoniaComp commented Feb 12, 2026
edited
Loading

What changes were proposed in this pull request?

change LogoutView to LogoutInitView

In the current implementation, logout was handled using LogoutView, which is designed to process logout responses sent by the IdP (i.e., IdP → SP callback). However, our use case requires initiating the logout flow from the Service Provider (SP) side when a user clicks the logout button.

According to the djangosaml2 documentation:

  • LogoutView handles SAML LogoutResponse or LogoutRequest messages sent from the IdP.
  • LogoutInitView initiates a SAML2 LogoutRequest from the SP to the IdP.
class LogoutView(SPConfigMixin, View):
    """SAML Logout Response endpoint

    The IdP will send the logout response to this view,
    which will process it with pysaml2 help and log the user
    out.
    Note that the IdP can request a logout even when
    we didn't initiate the process as a single logout
    request started by another SP.
    """
...
class LogoutInitView(LoginRequiredMixin, SPConfigMixin, View):
    """SAML Logout Request initiator

    This view initiates the SAML2 Logout request
    using the pysaml2 library to create the LogoutRequest.
    """

The issue we encountered was that the logout process stopped at the SP level and did not propagate to the IdP, because the SAML session information (saml_session) was missing. As a result, Single Logout (SLO) was not properly completed.

To resolve this:

I changed the logout entry point from LogoutView to LogoutInitView. This ensures that when the user clicks the logout button, the flow correctly starts from SP → IdP. The logout process now properly initiates a SAML LogoutRequest and completes the SLO flow. This change aligns the logout behavior with the intended SAML SLO flow and ensures IdP-level logout is triggered correctly.

set cookie conf for djangosaml2

In djangosaml2.middleware.SamlSessionMiddleware, session information is:

  • Stored in cookies during process_response
  • Retrieved from cookies during process_request
    However, in the latest version of Hue, there is no configurable way to set required cookie attributes such as COOKIE_DOMAIN, COOKIE_PATH. (Source Code Link)

Without these attributes being correctly configured, the SAML session cookie is not properly stored in the browser. As a result: saml_session is empty during logout. The IdP logout step fails because required session information (e.g., subject_id) is missing.

To address this limitation:
I identified that properly configuring cookie settings would require modifying Hue source code.

This approach ensures consistent logout behavior even when Hue does not expose cookie configuration options for djangosaml2.

How was this patch tested?

This patch was tested on the latest main branch of our company’s production Hue environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SoniaComp