Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12194

SLO with the SAML2 Auth Module PAP redirects to 'XUI/nullnull' when IDP has no SingleLogoutService defined


    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0, 5.5.1
    • Fix Version/s: None
    • Component/s: authentication, SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 48
    • Support Ticket IDs:


      Bug description

      If the remote IDP does not have the optional SingleLogoutService defined in its metadata, logging out after using the saml2 authentication module with SLO configured will redirect the browser to /openam/XUI/nullnull. The SP session is terminated but obviously the IDP session is not.


      This is a bad user experience and should fail more gracefully.

      How to reproduce the issue

      1. Configure hosted SP and remote IDP in integrated (AuthConsumer) mode.
      2. Configure SAML2 auth module in a chain, with the PAP and SLO enabled (with a relaystate defined)
      3. Remove all SingleLogoutService endpoint values from the remote IDP entity.
      4. Authenticate successfully using the chain + SAML flow
      5. Click Log out of the SP
      Expected behaviour

      User is logged out of SP and redirected to the relaystate. Write an error in the debug logs citing missing SLO endpoints and failure to send the LogoutRequest

      Current behaviour

      User is logged out of SP but is redirected to /openam/XUI/nullnull (HTTP 404)

      Work around

      Disable SLO or include correct endpoints (if IDP supports SLO).




            • Assignee:
              joe.starling Joe Starling
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: