If there is SLO enabled, and the SMSESSION user logs out - are the associated OIDC session entries also deleted? 

Article Id: 196120
Status: Published
Updated On: 02-08-2020 14:43
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) , CA Single Sign On Agents (SiteMinder) , CA Single Sign On Federation (SiteMinder) , CA Single Sign On SOA Security Manager (SiteMinder) , SITEMINDER
Issue/Introduction:


Hi 

With OIDC Provider logon, the user gets a session store entry.   This presumably stores the refresh token, and other session attributes. 

When the OIDC Provider log's on they also get an SMSESSION cookie in the primary domain.

We want to know if there is SLO enabled, and the SMSESSION user logs out - are the associated OIDC session entries also deleted? 

For background : 
We are looking at session coordination across OIDC Relying Parties. (and options for SLO across the OIDC Relying parties). 

I am aware of the following : 
https://knowledge.broadcom.com/external/article?articleId=142570&_ga=2.100058590.1768824579.1595989778-1478507459.1594255604

And appreciate the logout in the relying party to be properly implemented would need some co-ordinated call to the replying party. 

But, what we want to check is if (locally) when the SMSESSION user logs out, with SLO set, does that delete the entries in the local session store for the OIDC Provider setup (this will be entries for refresh_token, etc).

We assume the call to verify token, or refresh token from the relying party will return failure or false when the OIDC session store entries are deleted.

And would like to know if that deletion is (or perhaps can be ) coordinated with the SMSESSION SLO logout.

Environment:

Release : 12.8.03

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution:

As have probably found there is no documentation on this, but I have found a previous case where the following was asked:

"How do we kill the smsession, when user hits logout on the client? Is there a logout endpoint for OIDC?"

Answer:

"you will need to use the Agent logoffUri to remove the smsession"

And also a link to this idea:

https://community.broadcom.com/participate/ideation-home/viewidea?IdeationKey=284b4991-88ed-47a8-af21-c471b97bcd1b

So, it would appear that the answer is no.

For your convenience, here is the doco for logoffUri:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/web-agent-configuration/comprehensive-log-out.html#concept.dita_eeefd22588cc0982bab755d1427fe80a1f8a3281_ConfigureFullLogoff