ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Federation Single Logout Does Not Work

book

Article ID: 41055

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue: 

Initiating a logout request results in a 500 error on the IDP side: 

FWSTrace:

Transaction with ID: 1587dbc0-8f814ebb-45de0133-7d4252db-fe98ae4a-477 failed. Reason: SLO_GET_EXCEPTION

Policy Server Trace:

 

[SingleLogoutTunnelServiceHandler.java][tunnelHandler][a962c4e5-cd7d6b26-f3613d82-6597db9f-de3d1ad1-7]][javax.xml.bind.UnmarshalException: Unexpected end of element {urn:oasis:names:tc:SAML:2.0:protocol}:LogoutRequest

Environment:  

Policy Server: R12.52 and above

Cause:

 

NameID parameter is missing in the SLO Request

Resolution: 

Per the SAML specifications, NameID is a required parameter in the SLO Request. The NameID should look like:

<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">Robm</ns2:NameID>

Make sure the SP or the IDP (whoever initiates the SLO Request) includes all required parameters in it.

Additional Information:

SAML specifications for SLO Requests on page 60:

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Environment

Release:
Component: SMFED