Environment
Access Manager 4.2
Access Manager 4.3
Access Manager 4.4
Access Manager 4.3
Access Manager 4.4
Situation
- NetIQ Access Manager NIDP server acting as WS-Fed IDP
- The WS-FED signout request to
======================================================================
https://idpa.kgast.nam.com:8443/nidp/wsfed/ep?wa=wsignout1.0&wreply=https://idpa31.kgast.nam.com:8443/nidp
======================================================================
will lead into a 500 internal server error (Java Exception) at the IDP server if no "wtrealm" parameter will be passed: - if the above request includes the wtrealm parameter the logout works without any problems.
======================================================================
https://idpa.kgast.nam.com:8443/nidp/wsfed/ep?wa=wsignout1.0&wtrealm=https://idpa31.kgast.nam.com:8443/nidp/wsfed/&wreply=https://idpa31.kgast.nam.com:8443/nidp
======================================================================
Resolution
The endpoint path for the logout request in case no realm (wtrealm) will be passed on for the logout is: "/nidp/wsfed/loreply". Example for the above scenario: "sloUrl = https://idpa.kgast.nam.com:8443/nidp/wsfed/loreply"
In general the WS-Fed metadata can look like
In general the WS-Fed metadata can look like
WSFedDescriptor ID = https://idpa.kgast.nam.com:8443/nidp/wsfed/ sloUrl = https://idpa.kgast.nam.com:8443/nidp/wsfed/loreply ssoUrl = https://idpa.kgast.nam.com:8443/nidp/wsfed/ep
Cause
wrong endpoint "https://idpa.kgast.nam.com:8443/nidp/wsfed/ep" used for logout
Additional Information
Without passing the "wtrealm" parameter the IDP server in general not know for which Service Provider (SP) the session logout should be processed. In such a situation a global / complete logout should happen. The WS-Fed endpoint required for this scenario has been configured in the wrong way