March 20, 2017 at 9:39 am #16355
I configured OpenAM as service provider along with external Identity provider(SAML authentication). When I tried to logout from the OpenAM after successful authentication by the IDP,its redirecting to default logout page instead of getting SAML single Logout. I configured and enabled single logout URL in OpenAM but didn’t worked. Please help me in resolving this issue
March 21, 2017 at 9:07 pm #16404
- This topic was modified 5 years, 6 months ago by pradeep0202.
The logout links in the UI will always result in a local logout only. You can use the single logout init JSPs to initiate the SAML SLO and perform logout at all remote entities involved.
http://sp.example.com:18080/openam/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=http://idp.example.com:8080/openamMarch 22, 2017 at 5:05 am #16408
Thanks for the reply. From your comments I came to know that for single logout we have to hit the
(http://sp.example.com:18080/openam/saml2/jsp/spSingleLogoutInit.jspmetaAlias=/sp&idpEntityID=http://idp.example.com:8080/openam)the URL in new tab. But how to achieve the SAML logout when user will click on logout option from the UI. Because user will always use logout option from the UI to logout.March 22, 2017 at 1:02 pm #16424
You could either use SAML in integrated mode (in other words using the authentication module), or you could try to enable session synchronization if the involved parties support SOAP binding for the SLO endpoints. Alternatively you could change the UI to render the SLO links for logout, but I’m not sure how easy that is. Maybe just use your own UI in the first place? (I mean seriously what are the chances that a customer will click on the Logout button on the profile edit page? Surely your deployment has other sites as well)March 22, 2017 at 3:12 pm #16433
I tried in integrated mode even.. but still the same… whn itried to logout …normal logout is happening..March 22, 2017 at 3:21 pm #16434
Have you configured SLO in the SAML auth module? Did you add the PAP to the authentication chain or realm level settings?March 22, 2017 at 3:35 pm #16436
Yeah I configured my IDP SLO URL in SAML auth module and i set the SLO field to true. and added PAP in the authentication chain. but still not getting saml logoutMarch 23, 2017 at 1:15 am #16446
You may be running into some issues where the goto URL returned during logout is ignored by XUI. OPENAM-10381 wasn’t reproducible on 14, but probably it was still an issue on 13.
Session synchronization could still work though.March 23, 2017 at 10:46 am #16465
I tried with Integrated mode and the single logout is working fine. But now the issue is even I selected the authentication for the user to saml chain…user can able to login with direct LDAP authentication chain also… even i selected the user authentication to SAML chain in user configuration. How can I restrict the user to login only with SAML authentication.March 23, 2017 at 10:49 am #16467
Captain obvious here: remove LDAP authentication module?March 23, 2017 at 11:15 am #16469
i want the user should authenticate only through SAML authentication.. but here the user is authenticating by using both LDAP and SAML… I want only by using SAML authenticationMarch 23, 2017 at 1:49 pm #16479
Having both local LDAP authentication and federation at the same time sounds a bit excessive.
If you always want to use federation for login, you should really just remove the LDAP authentication module from the authentication settings in the realm.March 24, 2017 at 4:06 am #16486
But I want to keep Local LDAP authentication for Admin and for users I want SAML authentication.I kept “”Administrator Authentication Configuration”” to “”LDAP service”” and “”Organization Authentication Configuration”” to “”SAML authentication”” in the authentication settings. According to the above configuration the user can able to login only with the SAML authentication ..but now he can able to authenticate by using the LDAP also which I dont want.If I Remove the LDAP authentication and If I assign SAML authentication for Admin also… then if SAML authentication fails for the admin then I cant log into the admin account right? So I want to keep Local LDAP authentication for Admin and federation authentication for the Users.
March 25, 2017 at 6:54 am #16504
- This reply was modified 5 years, 6 months ago by pradeep0202.
I would suggest to separate admin logins from federated logins to separate realms (this would be possible as long as the admin users are not meant to access the same services as the federated users).
Other solution would be to ensure that the users in LDAP does not have a valid/resettable password.March 29, 2017 at 1:08 am #16569nikolaosinlightParticipant
pradeep0202 When you say “…but now he can able to authenticate by using the LDAP also” I assume you mean the user can still use module=LDAP to authenticate. Yes?
If so, an OpenAM Best Practice (see in Admin Guide “27.1. Avoiding Obvious Defaults”) is to disable module based authentication for OpenAM realms. To disable for realm, select realm in the OpenAM console: select Authentication > Settings > Security and clear Module Based Authentication check box.
A word of caution however, do not disable on the root realm if you use ssoadm as ssoadm will no longer work. Lastly, Peter’s advice is bang on which is to typically employ sub-realms if you can/want.
You must be logged in to reply to this topic.