Access Manager SAML2 logout request by o365 does not get processed correctly

  • 7024317
  • 05-Dec-2019
  • 05-Dec-2019

Environment

  • Access Manager 4.4
  • Access Manager 4.5

Situation

  • Access Manager IDP server reports: 'Your session has been logged out. It is recommended that you close your browser to complete the termination of this session’ while executing the o365 SP initiated SAML Logout request

Resolution

  • disable the "HttpHeaderSecurityFilter" by remarking the section in the NIDP server
    • /opt/novell/nam/idp/conf/web.xml
    • /opt/novell/nids/lib/webapp/WEB-INF/web.xml

  • make sure you use instead the "Content-Security-Policy" header which can be configured from within: iManager => IDP Servers => Response Headers

  • Add  the header: Content-Security-Policy: frame-ancestors 'self' https://login.microsoftonline.com;





Cause

  • The browser client could not execute the "logoutSuccess.jsp" clearing up the user session at the IDP server due to the X-Frame SAMEORIGIN policy.

Additional Information

The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>. Setting this directive to 'none' is similar to X-Frame-Options: DENY (which is also supported in older browers).