Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14995

IdP Initiated single logout only performs local logout if IdP session cannot be found in cache

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.0.0, 6.5.0, 6.5.1, 7.0.0
    • Fix Version/s: 6.5.3, 7.0.0
    • Component/s: SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 63, AM Sustaining Sprint 64
    • Story Points:
      5
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      If performing an IdP initiated SLO and the IdP session cannot be found in the IdP's cache, only a local logout is performed.

      This could be caused by an IdP restart or if sticky load balancing is not used

      Note that where there are multiple SPs, a variation of this bug is that the IdP session cache can become stale, resulting in SLO not being sent to all the SPs that it should do.

      How to reproduce the issue

      1. Deploy 2 AM instances, each using embedded config and user store and having separate cookie domains, e.g. http://idp.amtest2.com:9080/access and http://sp.amtest2.com:7080/access
      2. On IdP, configure a hosted Identity Provider, using mail as the mapping attribute.
      3. On SP configure Hosted Service Provider.
      4. In SP, created a remote IdP, using metadata url of http://idp.amtest2.com:9080/access/saml2/jsp/exportmetadata.jsp.
      5. In IdP, created a remote SP, using attribute mapping of mail -> mail, using metadata url of: http://sp.amtest2.com:7080/access/saml2/jsp/exportmetadata.jsp.
      6. In IdP, edited demo user to have an email address.
      7. On both IdP and SP, Configure -> Global Services -> SAML 2.0 Service Configuration, then Enable SAML v2.0 failover.
      8. Perform an SP initiated SSO: http://sp.amtest2.com:7080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp
      9. Stop and restart the IdP.
      10. Perform an IdP initiated SLO:http://idp.amtest2.com:9080/access/saml2/jsp/idpSingleLogoutInit.jsp?metaAlias=/idp&spEntityID=http%3A%2F%2Fsp.amtest2.com%3A7080%2Faccess&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect.  Verify that a message is shown indicating that IdP initiated logout was successful.
      1. Navigate to the SP, e.g: http://sp.amtest2.com:7080/access.
      Expected behaviour
      The end user is prompted to login again
      Current behaviour
      The user profile page is shown.

      Work around

      Use sticky load balancing to ensure that the same SP is used for all end user requests (however this does not resolve the case of an IdP restart).

      Code analysis

      IDPSingleLogout.initiateLogoutRequest attempts to retrieve the IdP session from cache and if not present only invalidates the session at the IdP.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                lawrence.yarham Lawrence Yarham
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: