Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14985

SP Initiated single logout only performs local logout if SP session cannot be found in cache



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 5.5.1, 6.0.0, 6.5.0, 6.5.1, 7.0.0
    • None
    • None
    • AM Sustaining Sprint 63, AM Sustaining Sprint 64, AM Sustaining Sprint 65
    • 5


      Bug description

      If performing an SP initiated SLO and the SP Federated session cannot be found in the SP's cache, only a local logout is performed.

      This could be caused by an SP restart or if sticky load balancing is not used.

      How to reproduce the issue

      1. Deploy 2 AM instances, each using embedded config and user store and having separate cookie domains, e.g. http://idp.amtest2.com:9080/access and http://sp.amtest2.com:7080/access
      2. On IdP, configure a hosted Identity Provider, using mail as the mapping attribute.
      3. On SP configure Hosted Service Provider.
      4. In SP, created a remote IdP, using metadata url of http://idp.amtest2.com:9080/access/saml2/jsp/exportmetadata.jsp.
      5. In IdP, created a remote SP, using attribute mapping of mail -> mail, using metadata url of: http://sp.amtest2.com:7080/access/saml2/jsp/exportmetadata.jsp.
      6. In IdP, edited demo user to have an email address.
      7. On both IdP and SP, Configure -> Global Services -> SAML 2.0 Service Configuration, then Enable SAML v2.0 failover.
      8. Perform an SP initiated SSO: http://sp.amtest2.com:7080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp
      9. Stop and restart the SP.
      10. Perform an SP initiated SLO: http://sp.amtest2.com:7080/access/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=http%3A%2F%2Fidp.amtest2.com%3A9080%2Faccess.
      11. Repeat the SSO at step 8.
      Expected behaviour
      Single logout succeeded message is shown and then performing a new SSO will result in the user being prompted for login at the IdP.
      Current behaviour
      Single logout succeeded message is shown but then starting a new SSO request results in the Single Sign-on succeeded message being shown without being prompted for login i.e. the session was still active at the IdP and SLO had not been performed.
      In the Federation debug logs, see:
      c.s.i.s.p.SPSingleLogout: 2019-05-24 16:58:51,025: Thread[http-bio-7080-exec-1]: TransactionId[aa9cda39-84a6-46a7-84c7-3e65ae4ffaa9-1256]
      DEBUG: No session partner, just do local logout.

      Work around

      Use sticky load balancing to ensure that same SP that performed login is used for logout.

      Code analysis

      SP looks in cache for SP fed session and if it does not find it then only terminates local session.

      List list =
      if (list != null) {
      if (fedSession == null) {
          // just do local logout
          if (debug.isDebugEnabled()) {
                      "No session partner, just do local logout.");
          return null;


          Issue Links



              Unassigned Unassigned
              lawrence.yarham Lawrence Yarham
              0 Vote for this issue
              3 Start watching this issue