If there is SLO enabled, and the SMSESSION user logs out - are the associated OIDC session entries also deleted? 

book

Article ID: 196120

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


Hi 

With OIDC Provider logon, the user gets a session store entry.   This presumably stores the refresh token, and other session attributes. 

When the OIDC Provider log's on they also get an SMSESSION cookie in the primary domain.

We want to know if there is SLO enabled, and the SMSESSION user logs out - are the associated OIDC session entries also deleted? 

For background : 
We are looking at session coordination across OIDC Relying Parties. (and options for SLO across the OIDC Relying parties). 

I am aware of the following : 
https://knowledge.broadcom.com/external/article?articleId=142570&_ga=2.100058590.1768824579.1595989778-1478507459.1594255604

And appreciate the logout in the relying party to be properly implemented would need some co-ordinated call to the replying party. 

But, what we want to check is if (locally) when the SMSESSION user logs out, with SLO set, does that delete the entries in the local session store for the OIDC Provider setup (this will be entries for refresh_token, etc).

We assume the call to verify token, or refresh token from the relying party will return failure or false when the OIDC session store entries are deleted.

And would like to know if that deletion is (or perhaps can be ) coordinated with the SMSESSION SLO logout.

Environment

Release : 12.8.03

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

As have probably found there is no documentation on this, but I have found a previous case where the following was asked:

"How do we kill the smsession, when user hits logout on the client? Is there a logout endpoint for OIDC?"

Answer:

"you will need to use the Agent logoffUri to remove the smsession"

And also a link to this idea:

https://community.broadcom.com/participate/ideation-home/viewidea?IdeationKey=284b4991-88ed-47a8-af21-c471b97bcd1b

So, it would appear that the answer is no.

For your convenience, here is the doco for logoffUri:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/web-agent-configuration/comprehensive-log-out.html#concept.dita_eeefd22588cc0982bab755d1427fe80a1f8a3281_ConfigureFullLogoff