search cancel

Intermittent SLO failures

book

Article ID: 255230

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

We are intermittently seeing SAML SLO fail in a way that is resulting in the user's IDP session terminated, but their SP session remains active.  We are not seeing a redirect back to the SP after the IDP session is terminated, and we see the logout confirmation page despite the logout not being completed on the SP side.

Environment

Release : All

Cause

In the failing use case the browser does not present a session cookie to the Siteminder IDP during SLO: 

Successful SLO:
[11/02/2022][19:03:29][1102777][140688129836800][63787120-9d879cb6-d677953a-ffc1088a-2ae68e93-0][FWSBase.java][getSessionFromCookie][Fetching session details from cookie [CHECKPOINT = SLO_SESSION_FETCH]]
[11/02/2022][19:03:29][1102777][140688129836800][63787120-9d879cb6-d677953a-ffc1088a-2ae68e93-0][FWSBase.java][getSessionCookie][currentZone + Session cookie suffix: SMSESSION]
[11/02/2022][19:03:29][1102777][140688129836800][63787120-9d879cb6-d677953a-ffc1088a-2ae68e93-0][FWSBase.java][getSessionCookie][SMSESSION Cookie found.]


Unsuccessful SLO:
[11/02/2022][18:58:53][1102777][140688130889472][d0229469-4552458b-93f0a990-26f37c0d-13a337e4-03f][FWSBase.java][getSessionFromCookie][Fetching session details from cookie [CHECKPOINT = SLO_SESSION_FETCH]]
[11/02/2022][18:58:53][1102777][140688130889472][d0229469-4552458b-93f0a990-26f37c0d-13a337e4-03f][FWSBase.java][getSessionCookie][currentZone + Session cookie suffix: SMSESSION]
[11/02/2022][18:58:53][1102777][140688130889472][d0229469-4552458b-93f0a990-26f37c0d-13a337e4-03f][FWSBase.java][getSessionCookie][SESSIONSIGNOUT Cookie found.]

The failing use case is likely the result of testing which left the browser in a state where it had a valid session on the SP but no valid session at the IDP.  

Resolution

If a browser gets into this state (likely during testing rather than in a production environment), it's best to either clear all cookies or use an incognito/private mode for further testing.