Users prompted to login to Identity Server when logging out of SAML2 Service Provider

  • 7008935
  • 08-Jun-2012
  • 08-Jun-2012

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Acting as a SAML2 Identity Provider
3rd Party SAML2 Service Provider

Situation

Users single sign on to 3rd party SAML2 Service provider after authenticating to the Access Manager Identity (IDP) Server without problems. If the user remains logged in to the SAML2 SP for longer than the Identity Server session timeout, and then clicks the SP logout link, the user is then redirected to logout of the IDP server using the /nidp/app/logout URL. When the IDP server processes this logout request, it sees that the users session has expired and prompts the user to login. This is not what one would expect. A better outcome would be if the user is not authenticated to the IDP, the IDP should simply redirect the user to the logoutSuccess jsp as if a successful unauthentication had occured.

Resolution

Modified the logout JSP page to check whether the users session is valid (using 'isAuthenticated(handler.getSession()))') at the IDP server and if not, redirect to the logoutSuccess.jsp directly.

 <% ContentHandler handler = new ContentHandler(request,response); %>
 <% AuthenticationCard card = handler.getCurrentCard(); %>
 <% if (card == null || handler == null || !card.isAuthenticated(handler.getSession())) { %>
 window.location = '/nidp/jsp/logoutSuccess.jsp?';
 <% } else { %>
 window.location = '/nidp/app/logout';
 <% } %>

Another option it to create a filter that is wrapping calls to a custom JSP that we create eg. /jsp/customLogout.jsp by adding a custom jsp-servlet to the web.xml:
 
 <servlet>
  <servlet-name>customLogoutJsp</servlet-name>
  <jsp-file>/jsp/customLogout.jsp</jsp-file>
  <init-param>
   <param-name>hello</param-name>
   <param-value>test</param-value>
  </init-param>
 </servlet>
  
 <servlet-mapping>
  <servlet-name>customLogoutJsp</servlet-name>
  <url-pattern>/customLogout.jsp</url-pattern>
 </servlet-mapping>
  
By having users logout via the /nidp/customLogout.jsp, which in turn redirects users to any defined page, the IDP server will bypass any authentication checks and simply redirect the users to that location.