Logout request using backchannel despite having frontchannel logout option enabled for SAML

  • 7008638
  • 24-May-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway

Situation

3rd party SAML2 Identity server provides authentication to users for our Access Manager 3.1.3 
IR1 Identity Server host running as a SAML2 Service Provider (SP). The 3rd party IDP metadata
we import on our SAML2 SP includes single logout (SLO) links for only the SOAP and Redirect
binding - there are no entries for the POST binding.

The SAML2 SP is configured to do frontchannel logout so that we use redirect based SLO
request.

When a user logs into the SAML2 SP and issues an SLO request, all works fine
ie. the SLO request is generated using the redirect binding as expected.

When a user hits a LAG protected resource, users are redirected to authenticates to the 3rd
party IDP server, which works fine. If the user then logs out using either the /AGlogout or
/nesp/app/plogout logout link, the user logs out of both the Liberty and SAML IDP successfully.

However, the SAML based logout does NOT use the redirect binding - it always uses the SOAP
binding that requires communication across the backchannel and not frontchannel via the browser.

Resolution

Apply 3.1.3 IR2 (build 3.1.3-292) or greater

The fronchannel option is available for SAML protocol and not the Liberty protocol. IR2 addresses this.