Skip to content

providers/saml: send logoutResponse on sp-init logout#17691

Merged
PeshekDotDev merged 13 commits intomainfrom
saml-logout-response
Feb 11, 2026
Merged

providers/saml: send logoutResponse on sp-init logout#17691
PeshekDotDev merged 13 commits intomainfrom
saml-logout-response

Conversation

@PeshekDotDev
Copy link
Contributor

@PeshekDotDev PeshekDotDev commented Oct 24, 2025
edited
Loading

Details

This PR automatically sends a logoutResponse when logging out of a samlprovider via the SP

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make docs)

@netlify
Copy link

netlify bot commented Oct 24, 2025
edited
Loading

Deploy Preview for authentik-docs canceled.

Name Link
🔨 Latest commit ee19e30
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/694087c5b2133f0008e2a043

@netlify
Copy link

netlify bot commented Oct 24, 2025
edited
Loading

Deploy Preview for authentik-integrations canceled.

Name Link
🔨 Latest commit ee19e30
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/694087c30541fb0008395bb2

@netlify
Copy link

netlify bot commented Oct 24, 2025
edited
Loading

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit f4d342a
🔍 Latest deploy log https://app.netlify.com/projects/authentik-storybook/deploys/69850ab692a61200087784c4
😎 Deploy Preview https://deploy-preview-17691--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@PeshekDotDev PeshekDotDev changed the title Automatically send logoutResponse via iframe providers/saml: Automatically send logoutResponse via iframe Oct 24, 2025
@codecov
Copy link

codecov bot commented Oct 24, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 88.24701% with 59 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.20%. Comparing base (49a9cbf) to head (f4d342a).
⚠️ Report is 86 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
...iders/saml/processors/logout_response_processor.py 68.00% 32 Missing ⚠️
authentik/providers/saml/views/sp_slo.py 22.85% 27 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #17691      +/-   ##
==========================================
- Coverage   93.23%   93.20%   -0.04%     
==========================================
  Files         968      971       +3     
  Lines       53567    54053     +486     
==========================================
+ Hits        49945    50380     +435     
- Misses       3622     3673      +51
Flag Coverage Δ
conformance 37.71% <10.55%> (-0.27%) ⬇️
e2e 43.63% <10.95%> (-0.32%) ⬇️
integration 22.61% <9.36%> (-0.10%) ⬇️
unit 91.39% <87.84%> (-0.01%) ⬇️
unit-migrate 91.41% <87.84%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 24, 2025
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-afe9b73f82be2eeb369d5fc100fd61e2c46e1210
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-afe9b73f82be2eeb369d5fc100fd61e2c46e1210

Afterwards, run the upgrade commands from the latest release notes.

@BeryJu BeryJu added this to the Release 2025.12 milestone Oct 27, 2025
@PeshekDotDev PeshekDotDev changed the title providers/saml: Automatically send logoutResponse via iframe providers/saml: send logoutResponse on sp-init logout Nov 6, 2025
@PeshekDotDev PeshekDotDev marked this pull request as ready for review November 13, 2025 03:10
@PeshekDotDev PeshekDotDev requested review from a team as code owners November 13, 2025 03:10
@PeshekDotDev PeshekDotDev marked this pull request as draft November 13, 2025 03:11
@PeshekDotDev PeshekDotDev marked this pull request as ready for review December 9, 2025 22:07
BeryJu
BeryJu reviewed Dec 15, 2025
View reviewed changes
web/src/flow/providers/saml/NativeLogoutStage.ts Outdated
Comment on lines +80 to +85
const messageKey = this.challenge.samlResponse ? "response" : "request";
return html`<ak-flow-card .challenge=${this.challenge} loading>
<span slot="title"
>${msg(str`Posting logout request to SAML provider: ${providerName}`)}</span
>${msg(
str`Posting logout ${messageKey} to SAML provider: ${providerName}`,
)}</span
Copy link
Member

@BeryJu BeryJu Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be separate strings instead to better support translation (for the messageKey

web/src/flow/providers/IFrameLogoutStage.ts Outdated
Comment on lines 28 to 35
interface LogoutURLData {
url: string;
saml_request?: string;
saml_response?: string;
relay_state?: string;
provider_name?: string;
binding?: string;
}
Copy link
Member

@BeryJu BeryJu Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shouldn't need to be defined manually, they should come from the API schema

class LogoutURL(PassiveSerializer):

    url = CharField()
    [ ... ]


class IframeLogoutChallenge(Challenge):
    """Challenge for iframe logout"""

    component = CharField(default="ak-provider-iframe-logout")
    logout_urls = ListField(child=LogoutURL(), default=list)

web/src/flow/providers/IFrameLogoutStage.ts Outdated
Comment on lines 23 to 26
Copy link
Member

@BeryJu BeryJu Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 


enum LogoutStatusStatus {
    "pending" , "success" , "error",
}

interface LogoutStatus {
    providerName: string;
    status: LogoutStatusStatus;
}

mainly for the switch case to complain when it's not exhaustive

web/src/flow/stages/autosubmit/AutosubmitStage.ts Outdated
firstUpdated(changed: PropertyValues<this>): void {
super.firstUpdated(changed);

if (this.challenge.url !== undefined) {
Copy link
Member

@BeryJu BeryJu Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (this.challenge.url !== undefined) {
if (changed.has("challenge") && this.challenge.url !== undefined) {

Copy link
Member

@BeryJu BeryJu Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

disclaimer: my solution, not @goauthentik/frontend approved

@PeshekDotDev PeshekDotDev added the backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 label Dec 16, 2025
BeryJu
BeryJu reviewed Dec 30, 2025
View reviewed changes
BeryJu
BeryJu reviewed Dec 30, 2025
View reviewed changes
authentik/providers/saml/native_logout.py Outdated
Comment on lines 21 to 29
Copy link
Member

@BeryJu BeryJu Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
component = CharField(default="ak-provider-saml-native-logout")
provider_name = CharField()
url = CharField()
binding = CharField() # If possible, choice field
saml_request = CharField(required=False)
saml_response = CharField(required=False)
relay_state = CharField(required=False)
is_complete = BooleanField(default=False)

@PeshekDotDev PeshekDotDev moved this from Todo to In review in authentik Core Jan 6, 2026
@rissson rissson removed the backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 label Jan 14, 2026
@PeshekDotDev
Merge branch 'main' into saml-logout-response
7cae7fb 
Signed-off-by: Connor Peshek <connor@connorpeshek.me>
@PeshekDotDev
add feedback
8518d59
@PeshekDotDev
lint
4698a30
BeryJu
BeryJu reviewed Feb 5, 2026
View reviewed changes
authentik/providers/iframe_logout.py Outdated
Comment on lines +21 to +27
class SAMLLogoutURL(LogoutURL):
"""SAML-specific logout URL data"""

saml_request = CharField(required=False, allow_null=True)
saml_response = CharField(required=False, allow_null=True)
saml_relay_state = CharField(required=False, allow_null=True)

Copy link
Member

@BeryJu BeryJu Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the time being we can just do a single class actually

@github-project-automation github-project-automation bot moved this from In review to In Progress in authentik Core Feb 5, 2026
@PeshekDotDev PeshekDotDev moved this from In Progress to In review in authentik Core Feb 6, 2026
@PeshekDotDev PeshekDotDev merged commit 858a040 into main Feb 11, 2026
101 of 102 checks passed
@PeshekDotDev PeshekDotDev deleted the saml-logout-response branch February 11, 2026 20:18
@github-project-automation github-project-automation bot moved this from In review to Done in authentik Core Feb 11, 2026
kensternberg-authentik added a commit that referenced this pull request Feb 12, 2026
@kensternberg-authentik
Merge branch 'main' into web/flow/move-dialogs-into-the-light
7c1d1f8 
* main: (59 commits)
  website/docs: 2025.12.4 release notes (#20226)
  website/docs: 2025.10.4 release notes (#20242)
  security: CVE-2026-25748 (#20240)
  security: CVE-2026-25922 (#20241)
  security: CVE-2026-25227 (#20239)
  ci: fix release testing (#20207)
  core: Apply CSpell corrections. (#20191)
  core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1770842608 (#20213)
  core, web: update translations (#20215)
  core: bump library/node from 25.6.0-trixie to 25.6.1-trixie in /website (#20220)
  core: bump google-api-python-client from 2.189.0 to 2.190.0 (#20217)
  core: bump webauthn from 2.7.0 to 2.7.1 (#20218)
  ci: bump docker/build-push-action from 6.18.0 to 6.19.1 (#20221)
  website/integrations: Update Komga instructions to add "email_verified" attribute to "email" claim. (#20135)
  website: Apply CSpell corrections. (#20189)
  providers/saml: send logoutResponse on sp-init logout (#17691)
  website/docs: ssf: update SSF documentation (#20195)
  website/docs: draft of new WS-Fed provider docs  (#20091)
  website/docs: add email verification scope doc (#20141)
  website/docs: correct reference to overriden S3 variable (#20156)
  ...
kensternberg-authentik added a commit that referenced this pull request Feb 12, 2026
@kensternberg-authentik
Merge branch 'main' into web/flow/extract-flow-inspector
d8cb305 
* main: (59 commits)
  website/docs: 2025.12.4 release notes (#20226)
  website/docs: 2025.10.4 release notes (#20242)
  security: CVE-2026-25748 (#20240)
  security: CVE-2026-25922 (#20241)
  security: CVE-2026-25227 (#20239)
  ci: fix release testing (#20207)
  core: Apply CSpell corrections. (#20191)
  core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1770842608 (#20213)
  core, web: update translations (#20215)
  core: bump library/node from 25.6.0-trixie to 25.6.1-trixie in /website (#20220)
  core: bump google-api-python-client from 2.189.0 to 2.190.0 (#20217)
  core: bump webauthn from 2.7.0 to 2.7.1 (#20218)
  ci: bump docker/build-push-action from 6.18.0 to 6.19.1 (#20221)
  website/integrations: Update Komga instructions to add "email_verified" attribute to "email" claim. (#20135)
  website: Apply CSpell corrections. (#20189)
  providers/saml: send logoutResponse on sp-init logout (#17691)
  website/docs: ssf: update SSF documentation (#20195)
  website/docs: draft of new WS-Fed provider docs  (#20091)
  website/docs: add email verification scope doc (#20141)
  website/docs: correct reference to overriden S3 variable (#20156)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GirlBossRush GirlBossRush GirlBossRush approved these changes

@BeryJu BeryJu BeryJu approved these changes

@fheisler fheisler Awaiting requested review from fheisler fheisler is a code owner automatically assigned from goauthentik/frontend

@melizeche melizeche Awaiting requested review from melizeche melizeche is a code owner automatically assigned from goauthentik/backend

Assignees

@PeshekDotDev PeshekDotDev

Labels

None yet

Projects

authentik Core
Status: Done

Milestone

Release 2026.2.0: Nice to have

Development

Successfully merging this pull request may close these issues.

4 participants

@PeshekDotDev @GirlBossRush @BeryJu @rissson