Access Manager SAML2 logout request by o365 does not get processed correctly

  • 7024317
  • 05-Dec-2019
  • 05-Dec-2019


  • Access Manager 4.4
  • Access Manager 4.5


  • Access Manager IDP server reports: 'Your session has been logged out. It is recommended that you close your browser to complete the termination of this session’ while executing the o365 SP initiated SAML Logout request


  • disable the "HttpHeaderSecurityFilter" by remarking the section in the NIDP server
    • /opt/novell/nam/idp/conf/web.xml
    • /opt/novell/nids/lib/webapp/WEB-INF/web.xml

  • make sure you use instead the "Content-Security-Policy" header which can be configured from within: iManager => IDP Servers => Response Headers

  • Add  the header: Content-Security-Policy: frame-ancestors 'self';


  • The browser client could not execute the "logoutSuccess.jsp" clearing up the user session at the IDP server due to the X-Frame SAMEORIGIN policy.

Additional Information

The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>. Setting this directive to 'none' is similar to X-Frame-Options: DENY (which is also supported in older browers).