134 views

Multi SSO plugin do not support SAMLRequest containing a SAML LogoutRequest, ignoring IdP initiated logouts.

Problem

Some Identity providers (IdPs) allow you to logout on them, and they issue a logout request into the instances. At this time, ServiceNow does not support SAMLRequest containing a SAML LogoutRequest.

Symptoms

Users try to logout on their Identity provider. However, if they navigate to the instance, the session is still active.

This problem can be recognized because reviewing the browser network logs, a call occurs as follows:

<instance>/navpage.do?SAMLRequest=<logoutrequest>


It contains a SAML logout request sent to the instance. It looks as follows:

<samlp:LogoutRequest Destination="<instance>/navpage.do"
ID="s285b13e0376xxx9c85b2799cd15b96f26f" IssueInstant="2017-12-19T21:47:02Z"
NotOnOrAfter="2017-12-19T21:57:02Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">IdP</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="IdP" SPNameQualifier="<instance>"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">kyqg8yXXXGruouYwM4nfUqI8SI</saml:NameID>
<samlp:SessionIndex xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">s2ab00ad03a0xxx8f947c57a4f96a269d01</samlp:SessionIndex>
</samlp:LogoutRequest>


Cause

The problem is caused because the SAML Multi SSO plugin does not support a SAML request containing a SAML LogoutRequest.

Resolution

To logout from an instance, please issue a call to the /logout.do page instead.

 

Article Information

Last Updated:2018-01-29 06:52:23
Published:2017-12-21