search cancel

SP Initiated SLO Throws Error when IDP SMSESSION has Expired due to Idle Timeout

book

Article ID: 190530

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

We have observed that if a user's IDP SMSESSION has already timed out when a user requests SLO from the SP side, the user will receive an error and the user's SP session is not terminated.  Is there any way to avoid the error or otherwise handle this better?

Environment

Release : ALL

Component : SiteMinder Federation

Cause

This is expected behavior since the user's session information no longer exists when the logout is requested.  This leaves Siteminder with no way to know which SP sessions exist to be removed.

Resolution

Assure that the IDP session/idle timeouts are set such that user's IDP session is valid at least as long as the SP session.  When this cannot be done, it is better to configure simple log out rather than rely on SLO.  

Alternatively, if you cannot avoid receiving SLO requests when the IDP session may no longer exist, the web agent's IdleTimeoutURL ACO parameter can be leveraged to send the user to a static page with an appropriate message, or to an active page that detects the type of request made and takes appropriate action (such as let the user know their IDP session has been terminated and redirect the user to simple logout at the SP).