Hi
Trace from federation
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 ivoli.am.fim.saml20.protocol.actions.SAML20LocalLogoutAction 3 doLogout Getting local login state
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 im.saml20.protocol.actions.slo.SAML20LocalLogoutForSLOAction > logoutNeeded ENTRY
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 im.saml20.protocol.actions.slo.SAML20LocalLogoutForSLOAction 1 logoutNeeded Logout needed = true
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 im.saml20.protocol.actions.slo.SAML20LocalLogoutForSLOAction < logoutNeeded RETURN
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 ivoli.am.fim.saml20.protocol.actions.SAML20LocalLogoutAction 1 doLogout Local logout at IdP.
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 ivoli.am.fim.saml20.protocol.actions.SAML20LocalLogoutAction 1 doLogout Attempting logout with User name = CN=Jætte TøstesenPerson,O=Ingen organisatorisk tilknytning,C=DK and session info = null
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl > logout(userName) ENTRY
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl 1 logout(userName) Logging out based on userid = CN=Jætte TøstesenPerson,O=Ingen organisatorisk tilknytning,C=DK
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl > logoutWithSignOutInfo ENTRY
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl 2 logoutWithSignOutInfo Calling the signOut service
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl 2 logoutWithSignOutInfo signOut returned quietly; assuming successful logout
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl < logoutWithSignOutInfo RETURN
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl < logout(userName) RETURN
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 ivoli.am.fim.saml20.protocol.actions.SAML20LocalLogoutAction < doLogout RETURN
[9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 im.saml20.protocol.actions.slo.SAML20LocalLogoutForSLOAction 1 runProtocol Logout was successful
It seems like the logout is happening and is assumed ok, but an error occurs, resulting in the
* Code: 0x38cf081e
* Text: DPWWA2078E Could not authenticate user. An external authentication service did not return required authentication data.
I have trace enabled com.tivoli.am.fim.saml20.*=ALL but no details about the error/cause. Any ideas how to trace this?
BR Carsten
------------------------------
Carsten Jensen
ATP
+4530595704
------------------------------
Original Message:
Sent: Tue August 31, 2021 09:53 AM
From: Carsten Jensen
Subject: Single logout from an SP to IdP does not terminate/kill the WebSeal Session on the IdP
Hi Jon
Thank you for your advice. I've added the listed triggers and it had a strange effect; now the EAI application gets invoked with an TAM_OP=error
0x38cf081e
DPWWA2078E Could not authenticate user. An external authentication service did not return required authentication data.
I'll do some more investigation..
------------------------------
Carsten Jensen
ATP
+4530595704
Original Message:
Sent: Fri August 27, 2021 07:02 AM
From: Jon Harry
Subject: Single logout from an SP to IdP does not terminate/kill the WebSeal Session on the IdP
Hi Carsten,
If I remember correctly, the session termination during SLO is performed by the Federation runtime (which processes the SLO request) responding with an EAI header that includes a session termination request directly to the WebSEAL. If you don't have the appropriate EAI trigger URL in place to capture this EAI response from federation runtime SLO then the IdP session won't be terminated.
I think the trigger URLs you need are these (for federation asdf with federation runtime on junction /isam):
trigger = /isam/sps/auth*
trigger = /isam/sps/asdf/saml20/soap*
trigger = /isam/sps/asdf/saml20/slo*
trigger = /isam/sps/asdf/saml20/login*
Perhaps you're missing the slo* trigger?
By default the SLO trigger EAI message includes the session ID. In order for this to be available you need to have:
user-session-ids = yes
in the WebSEAL configuration.
There's an option in federation definition not to include session ID in the SLO response. Not sure when that option was introduced or how in changes behaviour but I imagine it would log out all sessions for user instead of only the one related to the specific session where SLO is performed.
None of the above gets your login EAI called... when SLO is initiated at SP, the IdP doesn't get to interact with the user so it doesn't usually trigger the "login success" call that would use local-response-redirect. There is an option in WebSEAL to provide "single-signoff-uri" entries which are (silently) called when a logoff occurs. Maybe you could use that to trigger you EAI app if you need to do something there on logout?
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Fri August 20, 2021 09:25 AM
From: Carsten Jensen
Subject: Single logout from an SP to IdP does not terminate/kill the WebSeal Session on the IdP
Products: ISAM9.0.7 Federations and WebSeal
Hi
I have at setup with an IdP behind WebSeal instance "login" on junction /sso
The IdP uses an EAI via local-response-redirect and eai-trigger-url configuration. The EAI is on a liberty backend behind a junction on the login WebSeal instance.
When slo is initiated on/from the SP, a slo request is also made for the IdP, and the IdP logs that it removes the SAML cookie, but this does NOT terminate/kill the WebSeal session, so when a new logon request is made from the SP and the IdP is called, then the IdP still has the session, and no new login nor call to the EAI, is triggered, and the IdP responds with a SAML response to the SP and the user is logged on without entering anything.
Whys is the EAI not being triggered when the IdP receives the slo request? (as it does with the initial login) Nor do the slo request result in killing/terminating the WesSeal-session. Are there any way to achieve this?
BR, Carsten
------------------------------
Carsten Jensen
ATP
------------------------------