Setup with AM as SP using SAML2 AuthN module with SLO enabled and Single Logout URL set. Cache not modified (10 min). When users log out after more than 10 minutes, they do not get redirected to the Logout URL but see the "SP initiated single logout succeeded." page instead. __
- Install IDP (http://idp.example.net:28080/openam) and create a hosted IdP
- Install SP http://sp.example.com:38080/openam
- Set up SAML2 integrated mode (add SAML2 module, configure with IdP settings, create SAML2 chain, modify services with AuthConsumer instead of Consumer)
- Register remote SP on IdP and remote Idp on SP
- Enable SAML2 failover (on the SP)
- Test SAML2 chain
- Enable SLO and add a value for Single Logout URL, such as http://forgerock.com_
- Add the SAML2 POST Auth plugin to the chain
- Test SLO works correctly: when logging out soon after logging in, user is redirected to http://forgerock.com
- Log user in
- Wait for 15 minutes
- Click on logout
- Observe the result
See comments from OPENAM-11795.
RelayState reference saved in the logout string (itself saved in CTS since SAML2 failover is enabled). However the value of the reference is only in cache and gets lost after 10 minutes.
RelayState is a configuration settings so it can be (and should be) added at logout time.