Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14051

SAML2 PAP doesn't handle session termination

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 58
    • Story Points:
      5
    • Support Ticket IDs:

      Description

      Bug description

      SAML Post Authentication Plugin doesn't handle the session termination scenario, but only active-logout requests.

      How to reproduce the issue

      1. Configure an SP & IDP
      2. On the SP, configure the SAML2 Module
        1. enable SLO
        2. add an SLO URL
      3. Add the SAML2 module in a chain and add _org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin_as a chain PAP
      4. Hit the newly created chain and perform SSO using the demo user
      5. Now, on a different browser, log in as admin in the SP and delete the demo user session
      6. Observe the IDP session is still active.
      Expected behaviour
      SAML PAP should be called when SP session is terminated
      
      Current behaviour
      SAML PAP is not called
      

      Work around

      Session synchronization can be used as it handles session timeouts, terminations and logout requests. However, IDP should support SOAP SLO as it uses the back-channel binding only.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              anastasios.kampas Tasos Kampas
            • Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated: