single logout not working while using OpenAM as Service provider.

This topic has 14 replies, 3 voices, and was last updated 5 years, 6 months ago by nikolaosinlight.

  • Author
    Posts
  • #16355
     pradeep0202
    Participant

    Hi all,
    I configured OpenAM as service provider along with external Identity provider(SAML authentication). When I tried to logout from the OpenAM after successful authentication by the IDP,its redirecting to default logout page instead of getting SAML single Logout. I configured and enabled single logout URL in OpenAM but didn’t worked. Please help me in resolving this issue

    • This topic was modified 5 years, 6 months ago by pradeep0202.
    #16404
     Peter Major
    Moderator

    The logout links in the UI will always result in a local logout only. You can use the single logout init JSPs to initiate the SAML SLO and perform logout at all remote entities involved.
    For example:
    http://idp.example.com:8080/openam/saml2/jsp/idpSingleLogoutInit.jsp?metaAlias=/idp
    or
    http://sp.example.com:18080/openam/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=http://idp.example.com:8080/openam

    #16408
     pradeep0202
    Participant

    Hi peter,
    Thanks for the reply. From your comments I came to know that for single logout we have to hit the
    (http://sp.example.com:18080/openam/saml2/jsp/spSingleLogoutInit.jspmetaAlias=/sp&idpEntityID=http://idp.example.com:8080/openam)the URL in new tab. But how to achieve the SAML logout when user will click on logout option from the UI. Because user will always use logout option from the UI to logout.

    #16424
     Peter Major
    Moderator

    You could either use SAML in integrated mode (in other words using the authentication module), or you could try to enable session synchronization if the involved parties support SOAP binding for the SLO endpoints. Alternatively you could change the UI to render the SLO links for logout, but I’m not sure how easy that is. Maybe just use your own UI in the first place? (I mean seriously what are the chances that a customer will click on the Logout button on the profile edit page? Surely your deployment has other sites as well)

    #16433
     pradeep0202
    Participant

    I tried in integrated mode even.. but still the same… whn itried to logout …normal logout is happening..

    #16434
     Peter Major
    Moderator

    Have you configured SLO in the SAML auth module? Did you add the PAP to the authentication chain or realm level settings?

    #16436
     pradeep0202
    Participant

    Yeah I configured my IDP SLO URL in SAML auth module and i set the SLO field to true. and added PAP in the authentication chain. but still not getting saml logout

    #16446
     Peter Major
    Moderator

    You may be running into some issues where the goto URL returned during logout is ignored by XUI. OPENAM-10381 wasn’t reproducible on 14, but probably it was still an issue on 13.
    Session synchronization could still work though.

    #16465
     pradeep0202
    Participant

    Hi Peter,
    I tried with Integrated mode and the single logout is working fine. But now the issue is even I selected the authentication for the user to saml chain…user can able to login with direct LDAP authentication chain also… even i selected the user authentication to SAML chain in user configuration. How can I restrict the user to login only with SAML authentication.

    #16467
     Peter Major
    Moderator

    Captain obvious here: remove LDAP authentication module?

    #16469
     pradeep0202
    Participant

    i want the user should authenticate only through SAML authentication.. but here the user is authenticating by using both LDAP and SAML… I want only by using SAML authentication

    #16479
     Peter Major
    Moderator

    Having both local LDAP authentication and federation at the same time sounds a bit excessive.
    If you always want to use federation for login, you should really just remove the LDAP authentication module from the authentication settings in the realm.

    #16486
     pradeep0202
    Participant

    But I want to keep Local LDAP authentication for Admin and for users I want SAML authentication.I kept “”Administrator Authentication Configuration”” to “”LDAP service”” and “”Organization Authentication Configuration”” to “”SAML authentication”” in the authentication settings. According to the above configuration the user can able to login only with the SAML authentication ..but now he can able to authenticate by using the LDAP also which I dont want.If I Remove the LDAP authentication and If I assign SAML authentication for Admin also… then if SAML authentication fails for the admin then I cant log into the admin account right? So I want to keep Local LDAP authentication for Admin and federation authentication for the Users.

    • This reply was modified 5 years, 6 months ago by pradeep0202.
    #16504
     Peter Major
    Moderator

    I would suggest to separate admin logins from federated logins to separate realms (this would be possible as long as the admin users are not meant to access the same services as the federated users).
    Other solution would be to ensure that the users in LDAP does not have a valid/resettable password.

    #16569
     nikolaosinlight
    Participant

    pradeep0202 When you say “…but now he can able to authenticate by using the LDAP also” I assume you mean the user can still use module=LDAP to authenticate. Yes?

    If so, an OpenAM Best Practice (see in Admin Guide “27.1. Avoiding Obvious Defaults”) is to disable module based authentication for OpenAM realms. To disable for realm, select realm in the OpenAM console: select Authentication > Settings > Security and clear Module Based Authentication check box.

    A word of caution however, do not disable on the root realm if you use ssoadm as ssoadm will no longer work. Lastly, Peter’s advice is bang on which is to typically employ sub-realms if you can/want.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?