Notifications

9 views

Description

 

Logging out appears to be successful but the session is still alive and user can still access the platform.

This issue is only applicable to SSO with Microsoft ADFS.

  • Users logs in and logs out.
  • Load up a bookmarked page to verify that login prompt is shown
  • User logs in again
  • User is still logged in although the logout confirmation page was shown

 

Cause

The root cause is related to the default RSA key and configuration requirement that signing out must be signed.

Resolution

Please follow the steps below, please note that the IDP-Identity provider, in this case the record associated with your ADFS settings in Servicenow.

 

1 - IDP: Enable 'Signed Logout Request' tick box

2 - IDP: Update field SingleLogoutRequest'

   Before: https://[ADFS server]/adfs/ls/?wa=wsignout1.0 
  After: https:///[ADFS server]/adfs/ls/

3 - IDP: Update field "Signing Signature Algorithm"

    Before: http://www.w3.org/2000/09/xmldsig#rsa-sha1 
   After: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

 4 - Edit system property "glide.authenticate.sso.saml2.keystore"

    The default option (Madrid) is not enough to support SAML request signing with ADFS.

See (Madrid) Docs: "Add a Java keystore for SAML"

  By default, SAML 2 Single Sign-on provides a default keystore named SAML 2.0 SP Keystore.
  This keystore is active by default.

   You can add keystores as needed and specify which one to use by default with a property.

  Out of the box, "glide.authenticate.sso.saml2.keystore" is configured to point to this certificate "SAML 2.0 SP Keystore-1".
  The referenced certificate SAML 2.0 SP Keystore' only supports SHA-1
  It is required to use RSA SHA-256 and not SHA-1
  Therefore the referenced sys_id value need to be changed to the OOTB certificate 'SAML 2.0 Keystore_Key2048_SHA256'
(Key store with 2048 bits key and sha256 support)

       

 5 - Upload all certificates associated with the ADFS- IDP trust chain:

Article Information

Last Updated:2020-01-29 07:15:26
Published:2020-01-29