Running VIP Authentication Hub integrated with SiteMinder, how to manage the full log out on both sides (SiteMinder and VIP Authentication Hub), to ensure that both environments have the user logged out.

Currently, VIP Authentication Hub is only used in conjunction with SiteMinder, via an authentication chain:

SiteMinder handles the primary authentication (username/password), and VIP Authentication Hub handles the second factor.

In this setup:

• If the user logs out of SiteMinder, does the VIP Authentication Hub session remain active?
  
  
• Will a session desynchronization occur, for instance, if the user logs out of SiteMinder but still has an active session on the VIP Authentication Hub and can therefore obtain OIDC tokens until the VIP Authentication Hub session expires?
  
  Is there a way to close both sessions on logout?
  
  
• Is there any risks or limitations to consider for the following scenario:
  
  There's a page on a portal protected by SiteMinder and VIP Authentication Hub (with mandatory second factor).
  That same page also needs to call VIP Authentication Hub self-service APIs, which require an access token.
  The application acts as an OIDC client of VIP Authentication Hub, and since the VIP Authentication Hub session is already active (thanks to the previous SiteMinder and VIP Authentication Hub login), it can obtain the access token without prompting the user again.
  At most, only the second factor might be required.
  
  
• Is there any way to exchange an SMSESSION or a SiteMinder-issued OIDC token for a VIP Authentication Hub access token (for the same user) usable to invoke its APIs?

It isn't correct that VIP Authentication Hub relies on cookies.

It can run sessions entirely without the use of cookies by leveraging session tokens.

SiteMinder Identity Token can be exchanged for VIP Authentication Hub Access Token by using:

1. VIP Authentication Hub s JWT-BEARER grant flow (back channel);
   
    or
   
   
2. VIP Authentication Hub s AZ Code grant flow (front and backchannel flows).

Until VIP Authentication Hub adds support for Consent (say for app to access user s profile data), there is no practical reason to use b).

VIP Authentication Hub Identity Token can be exchanged for SMSESSION by using SiteMinder's /authorize flow with "Identity_token_hint=ah-it".

SiteMinder Identity Token can be exchanged for a VIP Authentication Hub session by using VIP Authentication Hub's /authorize flow with "identity_token_hint=sm-it".

Web Logout (Front channel) from SiteMinder should also be able to log out from VIP Authentication Hub by including VIP Authentication Hub's /logout endpoint.

When SiteMinder delegates to VIP Authentication Hub for MFA, it's not necessary for that flow to initiate a session in VIP Authentication Hub - the MFA can take place without creating a session in VIP Authentication Hub.

To do that, use app metadata on the "SM" app to skip participation in SSO.

Note also:

• SiteMinder 12.8.8 onwards supports Front Channel Logout for OIDC-based flows.
  
  In the case of RP-initiated logout requests, the logout call request is sent to all the RP logout URLs configured (1).
  
  For MFA, as suggested, not generating a VIP Authentication Hub session token would be ideal.

1. Support for Front-Channel SLO in SiteMinder OpenID Connect Provider