CR

lib/web/apiserver.go

@@ -2170,12 +2170,20 @@ func (h *Handler) deleteWebSession(w http.ResponseWriter, r *http.Request, _ htt
 
 	clt, err := ctx.GetClient()
 	if err != nil {
-		return nil, trace.Wrap(err)
+		h.log.
+			WithError(err).
+			Debug("Failed to retrieve user client during logout.")
 	}
 
-	user, err := clt.GetUser(r.Context(), ctx.GetUser(), false)
-	if err != nil {
-		return nil, trace.Wrap(err)
+	var user types.User
+	// Only run this if we sucessfully retrieved the client.
+	if err == nil {
+		user, err = clt.GetUser(r.Context(), ctx.GetUser(), false)
+		if err != nil {
+			h.log.
+				WithError(err).
+				Debug("Failed to retrieve user during logout.")
+		}
 	}
 
 	err = h.logout(r.Context(), w, ctx)
@@ -2184,8 +2192,8 @@ func (h *Handler) deleteWebSession(w http.ResponseWriter, r *http.Request, _ htt
 	}
 
 	// If the user has SAML SLO (single logout) configured, return a redirect link to the SLO URL.
-	if len(user.GetSAMLIdentities()) > 0 && user.GetSAMLIdentities()[0].SAMLSingleLogoutURL != "" {
-		return map[string]interface{}{"redirect": user.GetSAMLIdentities()[0].SAMLSingleLogoutURL}, nil
+	if user != nil && len(user.GetSAMLIdentities()) > 0 && user.GetSAMLIdentities()[0].SAMLSingleLogoutURL != "" {
+		return map[string]interface{}{"samlSloUrl": user.GetSAMLIdentities()[0].SAMLSingleLogoutURL}, nil
 	}
 
 	return OK(), nil

web/packages/teleport/src/SingleLogoutFailed/SingleLogoutFailed.story.tsx

@@ -0,0 +1,53 @@
+/**
+ * Teleport
+ * Copyright (C) 2024  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import React from 'react';
+import { Router } from 'react-router';
+import { createMemoryHistory } from 'history';
+
+import { SingleLogoutFailed } from './SingleLogoutFailed';
+
+export default {
+  title: 'Teleport/LogoutError',
+};
+
+export const FailedDefault = () => {
+  const history = createMemoryHistory({
+    initialEntries: ['/web/msg/error/slo'],
+    initialIndex: 0,
+  });
+
+  return (
+    <Router history={history}>
+      <SingleLogoutFailed />
+    </Router>
+  );
+};
+
+export const FailedOkta = () => {
+  const history = createMemoryHistory({
+    initialEntries: ['/web/msg/error/slo?connectorName=Okta'],
+    initialIndex: 0,
+  });
+
+  return (
+    <Router history={history}>
+      <SingleLogoutFailed />
+    </Router>
+  );
+};

web/packages/teleport/src/services/websession/websession.ts

@@ -37,11 +37,10 @@ let sesstionCheckerTimerId = null;
 const session = {
   logout(rememberLocation = false) {
     api.delete(cfg.api.webSessionPath).then(response => {
-      if (response.redirect) {
-        this.clear();
-        window.open(response.redirect, '_self');
+      this.clear();
+      if (response.samlSloUrl) {
+        window.open(response.samlSloUrl, '_self');
       } else {
-        this.clear();
         history.goToLogin(rememberLocation);
       }
     });