Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Acting as a SAML2 Identity Provider
3rd Party SAML2 Service Provider
NetIQ Access Manager 3.2 Acting as a SAML2 Identity Provider
3rd Party SAML2 Service Provider
Situation
Users single sign on to 3rd party SAML2 Service provider after authenticating to the Access Manager Identity (IDP) Server without problems. If the user remains logged in to the SAML2 SP for longer than the Identity Server session timeout, and then clicks the SP logout link, the user is then redirected to logout of the IDP server using the /nidp/app/logout URL. When the IDP server processes this logout request, it sees that the users session has expired and prompts the user to login. This is not what one would expect. A better outcome would be if the user is not authenticated to the IDP, the IDP
should simply redirect the user to the logoutSuccess jsp as if a successful
unauthentication had occured.
Resolution
Modified the logout JSP page to check whether the users session is valid (using 'isAuthenticated(handler.getSession()))') at the IDP server and if not, redirect to the logoutSuccess.jsp directly.
Another option it to create a filter that is wrapping calls to a custom JSP that we create eg. /jsp/customLogout.jsp by adding a custom jsp-servlet to the web.xml:
<% ContentHandler handler = new ContentHandler(request,response);
%>
<% AuthenticationCard card = handler.getCurrentCard(); %>
<% if (card == null || handler == null || !card.isAuthenticated(handler.getSession())) { %>
window.location = '/nidp/jsp/logoutSuccess.jsp?';
<% } else { %>
window.location = '/nidp/app/logout';
<% } %>
<% AuthenticationCard card = handler.getCurrentCard(); %>
<% if (card == null || handler == null || !card.isAuthenticated(handler.getSession())) { %>
window.location = '/nidp/jsp/logoutSuccess.jsp?';
<% } else { %>
window.location = '/nidp/app/logout';
<% } %>
Another option it to create a filter that is wrapping calls to a custom JSP that we create eg. /jsp/customLogout.jsp by adding a custom jsp-servlet to the web.xml:
<servlet>
<servlet-name>customLogoutJsp</servlet-name>
<jsp-file>/jsp/customLogout.jsp</jsp-file>
<init-param>
<param-name>hello</param-name>
<param-value>test</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>customLogoutJsp</servlet-name>
<url-pattern>/customLogout.jsp</url-pattern>
</servlet-mapping>
<servlet-name>customLogoutJsp</servlet-name>
<jsp-file>/jsp/customLogout.jsp</jsp-file>
<init-param>
<param-name>hello</param-name>
<param-value>test</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>customLogoutJsp</servlet-name>
<url-pattern>/customLogout.jsp</url-pattern>
</servlet-mapping>
By having users logout via the /nidp/customLogout.jsp, which in turn redirects users to any defined page, the IDP server will bypass any authentication checks and simply redirect the users to that location.