SAML Logout is not working in clustered environment

RE: SAML Logout is not working in clustered environment

2018-09-17T07:30:36Z

Raja Seth:

Hi Shahbaz,

What I guess, cluster configuration seems to be incorrect. Check JSession id on each request, is it the same or its changes on each request. If it is so then check logs on both the servers.

Thanks & Regards,

Raja Seth

Hi Raja,

This is not clustering problem. I am facing same problem in Non Clustered environment also.

RE: SAML Logout is not working in clustered environment

2018-09-17T06:51:17Z

Hi Shahbaz,

What I guess, cluster configuration seems to be incorrect. Check JSession id on each request, is it the same or its changes on each request. If it is so then check logs on both the servers.

Thanks & Regards,

Raja Seth

RE: SAML Logout is not working in clustered environment

2018-09-17T06:11:44Z

David H Nebinger:

I don't know that your evaluation is correct...

If you log out, the IdP logs you out. When you say "once we return to Portal and do a logout", since it is the IdP you are already logged out. You don't log out of the SP and IdP individually, it is one "session" the login covers both and the logout covers both also.

Hi David,

Yes i am doing logout at IDP end and it is working fine, I am successfully logged out from IDP. But i am not getting logged out from Service Provider. When liferay check SAML response i am getting above error which i mentioned.

I am not getting logged out automatically from service provider when logged out from idp.

RE: SAML Logout is not working in clustered environment

2018-09-14T16:11:42Z

I don't know that your evaluation is correct...

If you log out, the IdP logs you out. When you say "once we return to Portal and do a logout", since it is the IdP you are already logged out. You don't log out of the SP and IdP individually, it is one "session" the login covers both and the logout covers both also.

SAML Logout is not working in clustered environment

2018-09-14T13:41:28Z

Hi,

We are having some strange behaviour when configured with SAML

Problem:

Liferay is setup as IDP, we have one service provider.
Once logged in from Liferay when we visit service provider's page then everything works, we dont need to login again there.
Once we return to Portal and then do a logout we are getting error

com.liferay.saml.runtime.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
at com.liferay.saml.opensaml.integration.internal.profile.ExceptionHandlerUtil.handleException(ExceptionHandlerUtil.java:34)
at com.liferay.saml.opensaml.integration.internal.profile.SingleLogoutProfileImpl.processSingleLogout(SingleLogoutProfileImpl.java:252)
at com.liferay.saml.web.internal.portlet.action.SingleLogoutAction.doExecute(SingleLogoutAction.java:62)
at com.liferay.saml.web.internal.portlet.action.BaseSamlStrutsAction.execute(BaseSamlStrutsAction.java:51)
at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:39)
at com.liferay.portal.struts.ActionAdapter.execute(ActionAdapter.java:50)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)

Suspect: I guess signature is being passsed null.

Now once when we login back again into portal, then we are getting error

[SecurityPortletContainerWrapper:363] User 0 is not allowed to access URL https://unnayan.indianoil.co.in/web/guest/employee-login and portlet com_liferay_login_web_portlet_LoginPortlet

Then we have to clear cookies again so user can login.