Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11795

No redirect to Relaystate if logout initiated by server different from server where login happened - with SAML2 AuthN module


    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0
    • Fix Version/s: None
    • Component/s: authentication, SAML
    • Labels:
    • Target Version/s:
    • Support Ticket IDs:


      Bug description

      Setup with 2 instances of AM as SP using SAML2 authN module with SLO enabled and Single Logout URL set. When users log out, they do not get redirected to the Logout URL but see the "SP initiated single logout succeeded." page instead. That only happens if the server that initiates logout is different from the server where login took place.

      How to reproduce the issue

      Configuration and baseline testing
      1. Install IDP (http://idp.example.net:28080/openam) and create a hosted IdP
      2. Install am1 and am2 as SP, within a site http://lb.example.com:8080/openam
      3. Install lb, e.g. haproxy, to listen to port 8080 and route to am1 and am2 
      4. Access http://lb.example.com:8080/openam and create a Hosted SP
      5. Set up SAML2 integrated mode (add SAML2 module, configure with IdP settings, create SAML2 chain, modify services with AuthConsumer instead of Consumer)
      6. Register remote SP on IdP and remote Idp on SP
      7. Enable SAML2 failover
      8. Test SAML2 chain
      9. Enable SLO and add a value for Single Logout URL, such as http://forgerock.com_
      10. Add the SAML2 POST Auth plugin to the chain
      11. Set Haproxy to route to am1 only
      12. Test SLO works correctly with only one server and that after logging out, user is redirected to http://forgerock.com
      1. Log user in on am1
      2. Change HAProxy to route to am2 only (or use round robin)
      3. Click on logout 
      4. Observe the result
      Expected behaviour
      User redirected to configured Single Logout URL, in this case http://forgerock.com
      Current behaviour
      User redirected to a page saying "SP initiated single logout succeeded." 

      Code analysis

      As far as I could see the SAML2PostAuthenticationPlugin.java#getRedirectURL only save the relaystate value in cache and does so at the time of login, in the setupSingleLogOut

      method :

      if ((relayState != null) && (relayState.length() > 0)) {
          String tmp = SAML2Utils.generateID();
          SPCache.relayStateHash.put(tmp, new CacheObject(relayState));

      Did not go into details on how the cache value is then retrieved, but the value is not found in cache, there is no cross-talk and the key of relaystate is used instead of its URL value. As that is not a valid URL, the default logout success page is shown instead.



          Issue Links



              • Assignee:
                nathalie.hoet Nathalie Hoet
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: