SP Initiated SLO Throws Error when IDP SMSESSION has Expired due to Idle Timeout
Article ID: 190530
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
SITEMINDER
Issue/Introduction
We have observed that if a user's IDP SMSESSION has already timed out when a user requests SLO from the SP side, the user will receive an error and the user's SP session is not terminated. Is there any way to avoid the error or otherwise handle this better?
Environment
Release : ALL
Component : SiteMinder Federation
Cause
This is expected behavior since the user's session information no longer exists when the logout is requested. This leaves Siteminder with no way to know which SP sessions exist to be removed.
Resolution
Assure that the IDP session/idle timeouts are set such that user's IDP session is valid at least as long as the SP session. When this cannot be done, it is better to configure simple log out rather than rely on SLO.
Alternatively, if you cannot avoid receiving SLO requests when the IDP session may no longer exist, the web agent's IdleTimeoutURL ACO parameter can be leveraged to send the user to a static page with an appropriate message, or to an active page that detects the type of request made and takes appropriate action (such as let the user know their IDP session has been terminated and redirect the user to simple logout at the SP).
Alternatively, if you cannot avoid receiving SLO requests when the IDP session may no longer exist, the web agent's IdleTimeoutURL ACO parameter can be leveraged to send the user to a static page with an appropriate message, or to an active page that detects the type of request made and takes appropriate action (such as let the user know their IDP session has been terminated and redirect the user to simple logout at the SP).
Feedback
Yes
No
Powered by
