SAML2 Service Provider ignores the “Front Channel Logout option” with LAG initiated logout

  • 7008942
  • 04-Jul-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 SUpport Pack 3 applied
 

Situation

Access Manager setup as a SAML2 Service Provider (SP), that has a trust relationship with a 3rd party SAML2 Identity Provider (IDP) server. Linux Access Gateway protected resources also configured where users authenticate to the SAML2 SP (which is also a Liberty IDP server!).

The 3rd party IDP metadata includes SLO links for SOAP and Redirect binding but no POST binding. The Novell SAML2 SP is configured to do frontchannel logout so that we should use redirect based SLO request defined in the metadata.

When a user logs into the SAML2 SP and issues an SLO request directly from the SAML2 SP, all works fine
ie. the SLO request is generated using the redirect binding as expected.

When a user hits a LAG protected resource and authenticates to the 3rd party IDP server, and then logs out using either /AGlogout or /nesp/app/plogout, the user logs out of both the Liberty and SAML IDP successfully. However, the SAML based logout does NOT use the redirect binding - it always uses the SOAP binding.

Resolution

APply Access Manager 3.1 Support Pack 3 Interim Release 2 builds (3.1.3-292) or greater AND add the following entry to the IDP servers web.xml file just below the ldapLoadThreshold entry e.g.
 
        <context-param>
                <param-name>ldapLoadThreshold</param-name>
                <param-value>10</param-value>
        </context-param>
        <context-param>
                <param-name>forceESPSLOHTTP</param-name>
                <param-value>true</param-value>
        </context-param>

Feedback service temporarily unavailable. For content questions or problems, please contact Support.