Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11835

SLO not redirecting to RelayState if logout after more than 10 minutes (default cache time) in SAML2 AuthN module

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0
    • Fix Version/s: None
    • Component/s: authentication, SAML
    • Labels:
    • Target Version/s:
    • Support Ticket IDs:

      Description

      Bug description

      Setup with AM as SP using SAML2 AuthN module with SLO enabled and Single Logout URL set. Cache not modified (10 min). When users log out after more than 10 minutes, they do not get redirected to the Logout URL but see the "SP initiated single logout succeeded." page instead. __ 

      How to reproduce the issue

      CONFIGURATION AND BASELINE TESTING
      1. Install IDP (http://idp.example.net:28080/openam) and create a hosted IdP
      2. Install SP http://sp.example.com:38080/openam
      3. Set up SAML2 integrated mode (add SAML2 module, configure with IdP settings, create SAML2 chain, modify services with AuthConsumer instead of Consumer)
      4. Register remote SP on IdP and remote Idp on SP
      5. Enable SAML2 failover (on the SP)
      6. Test SAML2 chain
      7. Enable SLO and add a value for Single Logout URL, such as http://forgerock.com_
      8. Add the SAML2 POST Auth plugin to the chain
      9. Test SLO works correctly: when logging out soon after logging in, user is redirected to http://forgerock.com
      TESTING
      1. Log user in
      2. Wait for 15 minutes
      3. Click on logout 
      4. Observe the result
      Expected behaviour
      User redirected to configured Single Logout URL, in this case http://forgerock.com
      
      Current behaviour
      User redirected to a page saying "SP initiated single logout succeeded." 
      

      Code analysis

      See comments from OPENAM-11795.

      RelayState reference saved in the logout string (itself saved in CTS since SAML2 failover is enabled). However the value of the reference is only in cache and gets lost after 10 minutes.

      RelayState is a configuration settings so it can be (and should be) added at logout time.

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nathalie.hoet Nathalie Hoet
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: