Clearing jwt token during single lgout

Mejar Singh


I'm trying to delete a token in the browser during SLO, and tried to make a logout page /logout which clears the token and redirects to saml/LogoutServiceHTTPRedirectResponse but then face the error there:

[org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder] SAML message intended destination endpoint 'https:/

../logout' did not match the recipient endpoint 'https://../saml/LogoutServiceHTTPRedirect'

[2017-11-21 18:24:48,152] [ERROR] [default task-8] [dk.itst.oiosaml.sp.service.DispatcherServlet] Unable to validate Response

dk.itst.oiosaml.error.WrappedException: Wrapped

        at dk.itst.oiosaml.sp.model.OIOLogoutRequest.fromRedirectRequest(OIOLogoutRequest.java:90)

        at dk.itst.oiosaml.sp.service.LogoutServiceHTTPRedirectHandler.handleGet(LogoutServiceHTTPRedirectHandler.java:77)

        at dk.itst.oiosaml.sp.service.DispatcherServlet.doGet(DispatcherServlet.java:183)


which seems to be a security check.
Any workaround or is there another approach for clearing the token in the browser ?


have considered blacklisting the token serverside, but is there not a handle during SLO were a browser command could be run


It sounds like, the URL of your logout service (/logout) doesn't match the URL declared in your metadata. And I think, you are not supposed to redirect directly to saml/LogoutServiceHTTPRedirectResponse. That is something, that the IdP/STS should do. I.e. instead of writing your own /logout, which redirects to saml/LogoutServiceHTTPRedirectResponse, use the already provided saml/LogoutServiceHTTPRedirect, which redirect to NemLog-in logout, which sends the response back to saml/LogoutServiceHTTPRedirectResponse.

yes, that's the issue, but how can we ensure some browser manipulation during this process as when you need to clear a browser token ?

I did encounter somthing simular when i made http://www.skoleogliv.dk/  I never did find the answer, so if anybody finds out. please let me know!

You could try to do it the other way round.

After the SLO you should be redirected to the URL specified in oiosaml-sp.uri.home in the property file. There you can invalidate the JWT.


Hvad med at prøve noget alternativt, som fx Clairvoyance - Klarsyn24 - det er med sikkerhed noget som vil give indsigt i personlige udfordringer, muligheder og relationer.

Om det kan klare alle ovennævnte problemer er selvfølgelig et spørgsmål omkring hvorvidt den enkelte tror på det eller ej, men selv skeptikkere har oplevet utrolig indsigt og fået en meget positiv oplevelse.