Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-2922

SP initiated SLO can fail with IllegalStateException

    XMLWordPrintable

    Details

    • Rank:
      1|hzo2p3:

      Description

      Steps to reproduce:

      • set up two OpenAM instances
      • on the first OpenAM instance create two hosted SP instances
      • on the second OpenAM instance create one hosted IdP
      • perform authentication with SP initiated SSO with first SP:
        /spssoinit?metaAlias=/sp&idpEntityID=http://openam.example.com:18080/openam
      • perform authentication with SP initiated SSO with second SP
      • At this point authentication should have been successful
      • Perform SP initiated logout:
        /saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=http://openam.example.com:18080/openam

      The result is an ugly HTTP 500 page, and in the logs you can see:

      java.lang.IllegalStateException
      	at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:437)
      	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:170)
      	at org.forgerock.openam.validation.ResponseValidationFilter$ValidationWrapper.sendRedirect(ResponseValidationFilter.java:68)
      	at com.sun.identity.saml2.profile.LogoutUtil.doSLOByHttpRedirect(LogoutUtil.java:371)
      	at com.sun.identity.saml2.profile.LogoutUtil.doLogout(LogoutUtil.java:266)
      	at com.sun.identity.saml2.profile.SPSingleLogout.prepareForLogout(SPSingleLogout.java:449)
      	at com.sun.identity.saml2.profile.SPSingleLogout.initiateLogoutRequest(SPSingleLogout.java:323)
      	at com.sun.identity.saml2.profile.SPSingleLogout.initiateLogoutRequest(SPSingleLogout.java:143)
      	at org.apache.jsp.saml2.jsp.spSingleLogoutInit_jsp._jspService(spSingleLogoutInit_jsp.java:279)
      

      This is happening because the SP initiated SLO tries to send the SLO request to the IdP in the name of both SPs at the same time.

        Attachments

          Activity

            People

            Assignee:
            peter.major Peter Major [X] (Inactive)
            Reporter:
            peter.major Peter Major [X] (Inactive)
            QA Assignee:
            gabor.hollosi gabor.hollosi
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: