search cancel

Redirecting user to custom page when user performs SLO but gets "Already logged off" error.

book

Article ID: 228986

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign-On

Issue/Introduction

Redirecting user to custom page when user performs SLO but gets "Already logged off" error.

Customer using Siteminder with a federation enabled CA Access Gateway (SPS), and have configured Siteminder as the IDP (Identity Provider).

Here when the user attempts to initiate an SLO flow when they're already logged off, they encounter the below error screen:

- Detailed Use case:

This flow can be replicated by having a browser with two tabs opened.

Each tab logged into a different SP (Service Provider) application.  

Perform SLO from the first tab, then try to perform SLO in the second tab.

When we perform the SLO on the FIRST tab, the user being redirected to the Status redirect URLs as expected.

But when we perform the SLO on the second tab, user getting the HTTP status 500 - Internal Server Error.

- Log data for reference from FWSTrace log:

[11/01/2021][18:53:35][20868][24468][9aa0c1c1-a00e8006-cb78145d-04a5091d-68b67d08-b2][FWSBase.java][validateSessionData][Transaction with ID: 9aa0c1c1-a00e8006-cb78145d-04a5091d-68b67d08-b2 failed. Reason: FWSB_USER_LOGGED_OFF]
[11/01/2021][18:53:35][20868][24468][9aa0c1c1-a00e8006-cb78145d-04a5091d-68b67d08-b2][FWSBase.java][validateSessionData][User's session is already in logged off state. Global Logout can not be performed.]
[11/01/2021][18:53:35][20868][24468][9aa0c1c1-a00e8006-cb78145d-04a5091d-68b67d08-b2][FWSBase.java][validateSessionData][Ending SAML2 Single Logout Service request processing with HTTP error 500]

------ Documented recommendation for this behavior:

As per the below " Status Redirects for HTTP Errors (SAML 2.0 IDP) " document, the user should be redirected to different applications (URLs) for further processing If we define " Status Redirect URL " in the section of SSO and SLO dialog.

- Configuration snippet Just for reference:

- Status Redirect URL:

Configure how the browser redirects a user when an HTTP 500, 400, or 405 error occurs. For example, if 500 server error occurs, the browser redirects the user to the Server Error Redirect URL for further processing.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/saml-2-0-only-configurable-features/status-redirects-for-http-errors-saml-2-0-idp.html

Environment

CA Access Gateway (CA Secure Proxy Server) 12.8 releases and CA Policy Server 12.8 releases and/or applicable to any supported environment.

Cause

In this particular use case scenario how can we redirect the user to a custom page instead of displaying this default 500 error page.

In the FEDERATION partnership, customer already configured " Status Redirect URLs ", but they don't appear to redirect the user to the Status Redirect URL and instead getting this specific "already logged off" error message when we initiate the SLO on the second tab of the browser.

- We would like to understand why the Status Redirect URL is not working when we initiate the SLO on the second tab of the browser. 

Resolution

Kindly note that the use case is working as expected because once the user session got logged off there is no way to fetch the federation partnership details and the status redirect URL so that is the reason why user getting User's session is already in logged off state when they initiate the SLO on the second tab of the browser. Global Logout can not be performed error message with HTTP 500 error message on the second tab when you initiate the SLO.

As a workaround, kindly find the below details which helps you to display the custom message instead of default HTTP 500 error message.

Kindly review the below workaround Information thoroughly and set up a custom page so that the request will redirected to the page configured.

You would need to create a CUSTOM page to display the required message and make the required changes.

Kindly consider the below code and Information as reference only.

After adding section below in " SPSInstalledlocation/affwebservices/WEB-INF/web.xml " file, you will be able to access the page.

<error-page>

<error-code>404</error-code>

<location>/public/error404.jsp</location>

</error-page>


<error-page>

<error-code>500</error-code>

<location>/public/error500.jsp</location>

</error-page>

------ When the application (affwebservices) is unable to handle 500 error message due various reasons (SingleLogout request when smsession is already loggedoff, error during fetching partnership information from PS when not available in Cache) in such cases error page handling will be delegated to affwebservices " web.xml ".

Attachments