If performing an SP initiated SLO and the SP Federated session cannot be found in the SP's cache, only a local logout is performed.
This could be caused by an SP restart or if sticky load balancing is not used.
How to reproduce the issue
- Deploy 2 AM instances, each using embedded config and user store and having separate cookie domains, e.g. http://idp.amtest2.com:9080/access and http://sp.amtest2.com:7080/access
- On IdP, configure a hosted Identity Provider, using mail as the mapping attribute.
- On SP configure Hosted Service Provider.
- In SP, created a remote IdP, using metadata url of http://idp.amtest2.com:9080/access/saml2/jsp/exportmetadata.jsp.
- In IdP, created a remote SP, using attribute mapping of mail -> mail, using metadata url of: http://sp.amtest2.com:7080/access/saml2/jsp/exportmetadata.jsp.
- In IdP, edited demo user to have an email address.
- On both IdP and SP, Configure -> Global Services -> SAML 2.0 Service Configuration, then Enable SAML v2.0 failover.
- Perform an SP initiated SSO: http://sp.amtest2.com:7080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp
- Stop and restart the SP.
- Perform an SP initiated SLO: http://sp.amtest2.com:7080/access/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=http%3A%2F%2Fidp.amtest2.com%3A9080%2Faccess.
- Repeat the SSO at step 8.
Use sticky load balancing to ensure that same SP that performed login is used for logout.
SP looks in cache for SP fed session and if it does not find it then only terminates local session.