Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12194

SLO with the SAML2 Auth Module PAP redirects to 'XUI/nullnull' when IDP has no SingleLogoutService defined

    XMLWordPrintable

    Details

    • AM Sustaining Sprint 48
    • 3
    • Yes
    • No
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      If the remote IDP does not have the optional SingleLogoutService defined in its metadata, logging out after using the saml2 authentication module with SLO configured will redirect the browser to /openam/XUI/nullnull. The SP session is terminated but obviously the IDP session is not.

       

      This is a bad user experience and should fail more gracefully.

      How to reproduce the issue

      1. Configure hosted SP and remote IDP in integrated (AuthConsumer) mode.
      2. Configure SAML2 auth module in a chain, with the PAP and SLO enabled (with a relaystate defined)
      3. Remove all SingleLogoutService endpoint values from the remote IDP entity.
      4. Authenticate successfully using the chain + SAML flow
      5. Click Log out of the SP
      Expected behaviour

      User is logged out of SP and redirected to the relaystate. Write an error in the debug logs citing missing SLO endpoints and failure to send the LogoutRequest

      Current behaviour

      User is logged out of SP but is redirected to /openam/XUI/nullnull (HTTP 404)

      Work around

      Disable SLO or include correct endpoints (if IDP supports SLO).

        Attachments

          Activity

            People

            lawrence.yarham Lawrence Yarham
            joe.starling Joe Starling
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: