[OPENAM-5208] SAML2 SLO error on IDP with Session Synchronization when SP does not support SOAP binding Created: 04/Dec/14  Updated: 20/Nov/16  Resolved: 01/Jan/15

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 11.0.0, 11.0.1, 11.0.2
Fix Version/s: 11.0.3, 12.0.1, 13.0.0

Type: Bug Priority: Major
Reporter: Nathalie Hoet Assignee: Peter Major [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to OPENAM-1012 IDP initiated SAML2 SLO error when SP... Resolved
Support Ticket IDs:

 Description   

This is related to OPENAM-1012;

When Session Synchronization is enabled in the IDP, and a SP does not support the SOAP binding, an error is thrown and the process stops. The process should keep going for the SPs supporting SOAP binding.

The error in the Federation file is:

libSAML2:10/28/2014 06:15:37:018 PM UTC: Thread[SystemTimerPool,5,main] 
ERROR: LogoutUtil.doLogout: Unable to find the recipient's single logout service with the binding null 
libSAML2:10/28/2014 06:15:37:018 PM UTC: Thread[SystemTimerPool,5,main] 
ERROR: IDPSessionListener.sessionInvalidated: 
com.sun.identity.saml2.common.SAML2Exception: Single Logout Service location not found. 


 Comments   
Comment by Quentin CASTEL [X] (Inactive) [ 12/Dec/14 ]

Probably that catching the error here could be an acceptable fix :

IDPSessionListener.java(line 182)
                                    try {
                                        initiateIDPSingleLogout(sessionIndex, metaAlias, realm, SAML2Constants.SOAP, nameID, idpEntityID, spEntityID, paramsMap);
                                    } catch(SAML2Exception e) {
                                        if (SAML2Utils.debug.errorEnabled()) {
                                            SAML2Utils.debug.error("SLO to SP failed", e);
                                        }
                                    }

Like this, the for won't be break and SLO for other SP can continue

Comment by Quentin CASTEL [X] (Inactive) [ 12/Dec/14 ]

This, can be useful :

libSAML2:10/28/2014 06:15:37:018 PM UTC: Thread[SystemTimerPool,5,main] 
ERROR: LogoutUtil.doLogout: Unable to find the recipient's single logout service with the binding null 
libSAML2:10/28/2014 06:15:37:018 PM UTC: Thread[SystemTimerPool,5,main] 
ERROR: IDPSessionListener.sessionInvalidated: 
com.sun.identity.saml2.common.SAML2Exception: Single Logout Service location not found. 
at com.sun.identity.saml2.profile.LogoutUtil.doLogout(LogoutUtil.java:187) 
at com.sun.identity.saml2.profile.LogoutUtil.doLogout(LogoutUtil.java:157) 
at com.sun.identity.saml2.profile.IDPSessionListener.initiateIDPSingleLogout(IDPSessionListener.java:341) 
at com.sun.identity.saml2.profile.IDPSessionListener.sessionInvalidated(IDPSessionListener.java:182) 
at com.sun.identity.plugin.session.impl.FMSessionProvider$SSOTokenListenerImpl.ssoTokenChanged(FMSessionProvider.java:659) 
at com.iplanet.sso.providers.dpro.SSOSessionListener.sessionChanged(SSOSessionListener.java:71)
at com.iplanet.dpro.session.Session.invokeListeners(Session.java:1019) 
at com.iplanet.dpro.session.Session.removeSID(Session.java:1004) 
at com.iplanet.dpro.session.service.SessionService.destroyInternalSession(SessionService.java:1111) 
at com.iplanet.dpro.session.service.InternalSession.changeStateAndNotify(InternalSession.java:1208) 
at com.iplanet.dpro.session.service.InternalSession.run(InternalSession.java:516) 
at com.sun.identity.common.TimerPool$WorkerThread.run(TimerPool.java:434)
Comment by Peter Major [X] (Inactive) [ 01/Jan/15 ]

Fixed with R12014 R12015 and R12016

Generated at Sat Oct 31 02:12:15 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.