Environment
- Access Manager 4.4
- Access Manager 4.5
Situation
- Access Manager IDP server reports: 'Your session has been logged out. It is recommended that you close your browser to complete the termination of this session’ while executing the o365 SP initiated SAML Logout request
Resolution
- disable the "HttpHeaderSecurityFilter" by remarking the section in the NIDP server
- /opt/novell/nam/idp/conf/web.xml
- /opt/novell/nids/lib/webapp/WEB-INF/web.xml
- make sure you use instead the "Content-Security-Policy" header which can be configured from within: iManager => IDP Servers => Response Headers
- Add the header: Content-Security-Policy: frame-ancestors 'self' https://login.microsoftonline.com;
Cause
- The browser client could not execute the "logoutSuccess.jsp" clearing up the user session at the IDP server due to the X-Frame SAMEORIGIN policy.
Additional Information
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>. Setting this directive to 'none' is similar to X-Frame-Options: DENY (which is also supported in older browers).