Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-3431

Implement IG session clearing on logout from AM

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 5.0.0, 5.5.0, 5.5.1, 6.0.0, 6.1.0, 6.5.0
    • Fix Version/s: Not Applicable
    • Component/s: OpenAM
    • Labels:
    • Environment:
      IG working with AM to provide SSO services for proxied applications.
    • Support Ticket IDs:
    • Story Points:
      1

      Description

      In Java agents, there is a feature called HTTP Session Binding that allows for the agent to invalidate the Servlet session whenever the user triggers a logout, the user request has no SSO token or the agent detects that the request is from a different user to the user in the current session - see https://backstage.forgerock.com/docs/openam-jee-policy-agents/5.5/java-agents-guide/#j2ee-agent-general-properties

      HTTP Session Binding
      
      When enabled, the Java agent invalidates the HTTP session upon login failure, when the user has no SSO session, or when the principal user name does not match the SSO user name.
      
      Default: true
      
      Property: com.sun.identity.agents.config.httpsession.binding
      

       

      Consider adding a config switch in the SingleSignOnFilter/CrossDomainSingleSignOnFilter that can clear the IG session when similar conditions are encountered, disabled by default to match current behaviour.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                markdr Mark de Reeper
              • Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: