Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
Situation
3rd party SAML2 Identity server provides authentication to users for our Access Manager 3.1.3
IR1 Identity Server host running as a SAML2 Service Provider (SP). The 3rd party IDP metadata
we import on our SAML2 SP includes single logout (SLO) links for only the SOAP and Redirect
binding - there are no entries for the POST binding.
The SAML2 SP is configured to do frontchannel logout so that we use redirect based SLO
request.
When a user logs into the SAML2 SP and issues an SLO request, all works fine
ie. the SLO request is generated using the redirect binding as expected.
When a user hits a LAG protected resource, users are redirected to authenticates to the 3rd
party IDP server, which works fine. If the user then logs out using either the /AGlogout or
/nesp/app/plogout logout link, the user logs out of both the Liberty and SAML IDP successfully.
However, the SAML based logout does NOT use the redirect binding - it always uses the SOAP
binding that requires communication across the backchannel and not frontchannel via the browser.
Resolution
Apply 3.1.3 IR2 (build 3.1.3-292) or greater
The fronchannel option is available for SAML protocol and not the Liberty protocol. IR2 addresses this.
The fronchannel option is available for SAML protocol and not the Liberty protocol. IR2 addresses this.