Environment
NetIQ Access Manager 3.2
ADFS with ws-federation protocol enabled
NetIQ Identity Server acting as a ws-federation Service Provider
ADFS with ws-federation protocol enabled
NetIQ Identity Server acting as a ws-federation Service Provider
Situation
With no remote authentications, we can do our local login and logout using /nidp/app/plogout so that the
logoutSuccess.jsp gets executed.
When doing a remote authentication via ws-fed, the logout seems to fail and the logoutSuccess.jsp page is not executed. The user hit's the NAM Identity server, clicks on the ws-fed authenitcation card which then generates the login request to the ADFS ws-federation Identity server. After the user has logged in successfully via the ADFS login page, the user is successfully redirected back to the NAM Identity server portal page.
When the user tries to logout of the ADFS Identity Server, the session on the NAM Identity server does not get logged out. The adfs server logs the user via /nidp/wsfed/term path, but this fails to actually log the user out.
When doing a remote authentication via ws-fed, the logout seems to fail and the logoutSuccess.jsp page is not executed. The user hit's the NAM Identity server, clicks on the ws-fed authenitcation card which then generates the login request to the ADFS ws-federation Identity server. After the user has logged in successfully via the ADFS login page, the user is successfully redirected back to the NAM Identity server portal page.
When the user tries to logout of the ADFS Identity Server, the session on the NAM Identity server does not get logged out. The adfs server logs the user via /nidp/wsfed/term path, but this fails to actually log the user out.
Resolution
The single logout (invoked
from either the IDP or SP side) only works if the logout url defined for the NAM Identity server was EITHER
- "/nidp/wsfed/spassertion_consumer" or
- "/nidp/wsfed/ep"
- "/nidp/wsfed/spassertion_consumer" or
- "/nidp/wsfed/ep"