If the remote IDP does not have the optional SingleLogoutService defined in its metadata, logging out after using the saml2 authentication module with SLO configured will redirect the browser to /openam/XUI/nullnull. The SP session is terminated but obviously the IDP session is not.
This is a bad user experience and should fail more gracefully.
- Configure hosted SP and remote IDP in integrated (AuthConsumer) mode.
- Configure SAML2 auth module in a chain, with the PAP and SLO enabled (with a relaystate defined)
- Remove all SingleLogoutService endpoint values from the remote IDP entity.
- Authenticate successfully using the chain + SAML flow
- Click Log out of the SP
User is logged out of SP and redirected to the relaystate. Write an error in the debug logs citing missing SLO endpoints and failure to send the LogoutRequest
User is logged out of SP but is redirected to /openam/XUI/nullnull (HTTP 404)
Disable SLO or include correct endpoints (if IDP supports SLO).