SAML2 logout requests generate "status:responder" if received by a cluster node different than the one where the user authentication occurred

  • 7008158
  • 18-Mar-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1.3-247 Linux Novell Identity Server

Situation

Purpose:

Configure a cluster of Novell Access Manager (NAM) Identity Servers (IDS) as Identity Provider in a SAML2 federation environment with Novell or third party Service Providers (SP).

Symptoms:

Whenever a member of the IDS cluster receives a SAML2 logout request where the authentication was performed on a different node, it replies back with "status:responder" causing the logout to fail.

If the SAML2 logout request is sent to the same IDS cluster node that performed the user authentication, everything works fine as expected and the logout succeed.

The issue occurs only in a cluster scenario, if a single IDS is used as SAML2 Identity Provider the problem is not present.

Changes:

The trust relationship between the IDS and the SP was properly configured on both sides and the "Failover Peer Server Count" in the NAM IDS cluster configuration was properly set so to share the authentication session across the nodes.

The format of the SAML2 logout request received from the SP has been verified and confirmed to be compliant with the specifications.


Resolution

This has been fixed in version 3.1 SP3 IR2 (3.1.3-292).

Feedback service temporarily unavailable. For content questions or problems, please contact Support.