Error: "Exception when processing SAML logout" and users are automatically getting logged out
search cancel

Error: "Exception when processing SAML logout" and users are automatically getting logged out

book

Article ID: 433290

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • SAML users can login successfully but get logged out after a set period of time such as 30 minutes.
  • On the Cloud Director(VCD) cell in the log file /opt/vmware/vcloud-director/logs/vcloud-container-debug.log you may observe an error similar to the following:

    YYYY-MM-DD 17:00:08,555 | DEBUG    | pool-jetty-34             | SamlLogoutFilterUtils          | Setting SAML context relay state to logout path https://vcloud.example.com/login/logout?service=tenant:<tenant-name> | requestId=########-####-####-####-########,request=GET https://vcloud.example.com/login/logout,requestTime=1773334808256,remoteAddress=<ip-address>:53646,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/avif image/webp image/apng */*;q 0.8 application/signed-exchange;...
    YYYY-MM-DD 17:00:08,555 | WARN     | pool-jetty-34             | CustomSamlLogoutFilter         | Error processing metadata | requestId=########-####-####-####-########,request=GET https://vcloud.example.com/login/logout,requestTime=1773334808256,remoteAddress=<ip-address>:53646,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/avif image/webp image/apng */*;q 0.8 application/signed-exchange;...
    YYYY-MM-DD 17:00:08,555 | ERROR    | pool-jetty-34             | CustomSamlLogoutFilter         | Exception when processing SAML logout | requestId=########-####-####-####-########,request=GET https://vcloud.example.com/login/logout,requestTime=1773334808256,remoteAddress=<ip-address>:53646,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/avif image/webp image/apng */*;q 0.8 application/signed-exchange;...
    org.opensaml.saml2.metadata.provider.MetadataProviderException: IDP doesn't contain any SingleLogout endpoints
            at org.springframework.security.saml.util.SAMLUtil.getLogoutBinding(SAMLUtil.java:129)
            at org.springframework.security.saml.websso.SingleLogoutProfileImpl.sendLogoutRequest(SingleLogoutProfileImpl.java:74)

  • The logout does not coincide with session timeouts that have been configured in Cloud Director.
  • Cloudflare Access is used to load balance VCD cells.

Environment

VMware Cloud Director 10.6.1.x

Cause

This issue occurs when there is a timeout policy configured on Cloudflare Access load balancer in the environment. 

Resolution

Review the Cloudflare Access load balancer in the environment and increase the timeout settings for user sessions.

Powered by Wolken Software