NetIQ Access Manager NIDP server acting as WS-Fed IDP runs into Java exception on signout request

  • 7021387
  • 13-Sep-2017
  • 13-Sep-2017

Environment

Access Manager 4.2
Access Manager 4.3
Access Manager 4.4

Situation

  • NetIQ Access Manager NIDP server acting as WS-Fed IDP

  • The WS-FED signout request to
    ======================================================================
    https://idpa.kgast.nam.com:8443/nidp/wsfed/ep?wa=wsignout1.0&wreply=https://idpa31.kgast.nam.com:8443/nidp
    ======================================================================
    will lead into a 500 internal server error (Java Exception) at the IDP server if no "wtrealm" parameter will be passed:

  • if the above request includes the wtrealm parameter the logout works without any problems.
    ======================================================================
    https://idpa.kgast.nam.com:8443/nidp/wsfed/ep?wa=wsignout1.0&wtrealm=https://idpa31.kgast.nam.com:8443/nidp/wsfed/&wreply=https://idpa31.kgast.nam.com:8443/nidp
    ======================================================================

Resolution

The endpoint path for the logout request in case no realm (wtrealm) will be passed on for the logout is: "/nidp/wsfed/loreply". Example for the above scenario: "sloUrl = https://idpa.kgast.nam.com:8443/nidp/wsfed/loreply"

In general the WS-Fed metadata can look like
WSFedDescriptor
ID = https://idpa.kgast.nam.com:8443/nidp/wsfed/
sloUrl = https://idpa.kgast.nam.com:8443/nidp/wsfed/loreply
ssoUrl = https://idpa.kgast.nam.com:8443/nidp/wsfed/ep

Cause

wrong endpoint "https://idpa.kgast.nam.com:8443/nidp/wsfed/ep" used for logout

Additional Information

Without passing the "wtrealm" parameter the IDP server in general not know for which Service Provider (SP) the session logout should be processed. In such a situation a global / complete logout should happen. The WS-Fed endpoint required for this scenario has been configured in the wrong way