Affects Version/s: 5.5.1, 6.0.0, 6.5.0, 6.5.1, 7.0.0
If performing an IdP initiated SLO and the IdP session cannot be found in the IdP's cache, only a local logout is performed.
This could be caused by an IdP restart or if sticky load balancing is not used
Note that where there are multiple SPs, a variation of this bug is that the IdP session cache can become stale, resulting in SLO not being sent to all the SPs that it should do.
- Deploy 2 AM instances, each using embedded config and user store and having separate cookie domains, e.g. http://idp.amtest2.com:9080/access and http://sp.amtest2.com:7080/access
- On IdP, configure a hosted Identity Provider, using mail as the mapping attribute.
- On SP configure Hosted Service Provider.
- In SP, created a remote IdP, using metadata url of http://idp.amtest2.com:9080/access/saml2/jsp/exportmetadata.jsp.
- In IdP, created a remote SP, using attribute mapping of mail -> mail, using metadata url of: http://sp.amtest2.com:7080/access/saml2/jsp/exportmetadata.jsp.
- In IdP, edited demo user to have an email address.
- On both IdP and SP, Configure -> Global Services -> SAML 2.0 Service Configuration, then Enable SAML v2.0 failover.
- Perform an SP initiated SSO: http://sp.amtest2.com:7080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp
- Stop and restart the IdP.
- Perform an IdP initiated SLO:http://idp.amtest2.com:9080/access/saml2/jsp/idpSingleLogoutInit.jsp?metaAlias=/idp&spEntityID=http%3A%2F%2Fsp.amtest2.com%3A7080%2Faccess&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. Verify that a message is shown indicating that IdP initiated logout was successful.
- Navigate to the SP, e.g: http://sp.amtest2.com:7080/access.
Use sticky load balancing to ensure that the same SP is used for all end user requests (however this does not resolve the case of an IdP restart).
IDPSingleLogout.initiateLogoutRequest attempts to retrieve the IdP session from cache and if not present only invalidates the session at the IdP.