Forum Discussion
eehir
Nimbostratus
NimbostratusSAML SLO error
Hey,
We are using APM as a SAML IdP for authenticating smartcard users. Authentication works fine and users are able to use the SAML SP service, but as they try to logout the user is redirected ...
Before v12.1, if the user's APM session is idled out (usually it will be), then the connection is RST.
The reason it was broken before is that APM has to keep track of all the SPs that have been authenticated in one IdP session and SLO must redirect in a chain to all of the SPs, ending with the one that initiated the request. If the user's session is missing, there is nowhere to lookup this data.
That's fixed in 12.1 now, the caveat is that if there are multiple SPs, APM can't remember them and do the redirect chain back. For most users that's OK, and certainly more desirable than the current behavior of RST'ing the connection.
For older versions, the only way to work around this is to have the idle timer be really long for the session so they don't time out by the time they want to SLO out of the SP session.