Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11835

SLO not redirecting to RelayState if logout after more than 10 minutes (default cache time) in SAML2 AuthN module


    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0
    • Fix Version/s: None
    • Component/s: authentication, SAML
    • Labels:
    • Target Version/s:
    • Support Ticket IDs:


      Bug description

      Setup with AM as SP using SAML2 AuthN module with SLO enabled and Single Logout URL set. Cache not modified (10 min). When users log out after more than 10 minutes, they do not get redirected to the Logout URL but see the "SP initiated single logout succeeded." page instead. __ 

      How to reproduce the issue

      1. Install IDP (http://idp.example.net:28080/openam) and create a hosted IdP
      2. Install SP http://sp.example.com:38080/openam
      3. Set up SAML2 integrated mode (add SAML2 module, configure with IdP settings, create SAML2 chain, modify services with AuthConsumer instead of Consumer)
      4. Register remote SP on IdP and remote Idp on SP
      5. Enable SAML2 failover (on the SP)
      6. Test SAML2 chain
      7. Enable SLO and add a value for Single Logout URL, such as http://forgerock.com_
      8. Add the SAML2 POST Auth plugin to the chain
      9. Test SLO works correctly: when logging out soon after logging in, user is redirected to http://forgerock.com
      1. Log user in
      2. Wait for 15 minutes
      3. Click on logout 
      4. Observe the result
      Expected behaviour
      User redirected to configured Single Logout URL, in this case http://forgerock.com
      Current behaviour
      User redirected to a page saying "SP initiated single logout succeeded." 

      Code analysis

      See comments from OPENAM-11795.

      RelayState reference saved in the logout string (itself saved in CTS since SAML2 failover is enabled). However the value of the reference is only in cache and gets lost after 10 minutes.

      RelayState is a configuration settings so it can be (and should be) added at logout time.




          Issue Links



              • Assignee:
                nathalie.hoet Nathalie Hoet
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created: