LogoutSuccess page not presented when AGLogout is run after user access both a Protected Resource and SAML Service Provider

  • 7010743
  • 06-Sep-2012
  • 06-Sep-2012

Environment

NetIQ Access Manager 3.1 Support Pack 4
NetIQ Identity (IdP) Server setup and communicating with Linux Access Gateways as well as SAML2 Service Providers

Situation

Access Manager setup and working correctly - users can access applications protected by the Linux Access Gateway (LAG)
after having authenticated to the Identity (IDP) server. Users can also logout successfully hitting the /AGLogout link.
SAML2 was then enabled on the IDP server so that users could login to this IDP server and get SSO to a remote SAML2
Service Provider (SP). Only after this change was made did reports start coming into the helpdesk that user logouts were
not being successful - instead of receiving the usual logout message, users reported blank screens.


After debugging the issue, the following use case was found to fail:

a) user hits a LAG protected resource (PR) and authenticates via the IDP server (using Liberty Protocol by default) b) user then hits the SAML2 SP and is single signed on because the session at the IDP server
from step a) above is still valid. This part of the communication uses SAML2 protocol. c) user returns to original LAG PR and makes sure pages rendered successfully d) user hits the /AGLogout or /nesp/app/plogout URL link on the LAG PR to logout e) user never executes the LogoutSuccess.jsp page and hence no logout message is rendered What happens is that the soap backchannel logout request fails between the ESP and IDP server with the following
message visible in the catalina log file in the logout response from the IDP server:

 <samlp:Status> <samlp:StatusCode Value="samlp:Requester"> <samlp:StatusCode Value="lib:UnsupportedProfile"/> </samlp:StatusCode> </samlp:Status>

Resolution

Apply Access Manager 3.1 Support Pack 4 IR1. This fix is also available in the 3.2 Access Manager code.