Reset Search
 

 

Article

KB40249 - Support for Single Logout Service on PCS device

« Go Back

Information

 
Last Modified Date10/12/2016 1:08 PM
Synopsis
Support for SAML 2.0 Single Logout Service on PCS devices when using them as a SAML entity.
Problem or Goal
In certain SAML implementations using PCS device as an Identity Provider (IdP), such as using SAML SSO in Gateway mode, where PCS device does SAML based SSO for an application being accessed through the device, over Web rewrite; might fail with end user getting messages such as
"Unable to validate  SAML message!"

While investigating logs  on the Service Provider; i.e. application, from the SAML traces, we may see  following errors.

 [ERROR] [ajp-bio-8269-exec-5] [OIOSAML_AUDIT_LOGGER] Dispatch:SAMLAssertionConsumer <-- X.X.X.X 68DA31E2B68B805C2B9C49B8C4618273.worker1 '' '' 'The assertion must contain a AuthnStatement@SessionIndex'
dk.itst.oiosaml.sp.model.validation.ValidationException: The assertion must contain a AuthnStatement@SessionIndex

In the above example, SSO to the application fails even if from the device side all appears to be fine, as in an assertion has been generated and sent to the application with the correct information.
Cause
The PCS devices are capable of acting as a SAML entity, i.e. an Identity Provider (IdP) and Service Provider (SP), based on SAML 2.0 standards.

In SAML 2.0 there is also option available for the Single Logout functionality, wherein a user session from multiple Service Providers/ Applications, authenticated by an Identity Provider, can be logged out at once from any one of the applications. (Depends of the implementation)

For this to work, SAML uses an attribute in the Authn Statement named "SessionIndex

SessionIndex

On the PCS devices, in current software release, we do support Single Logout Service while the device is configured as a Service Provider.
However, we do not support the same for the device being configured as an Identity Provider entity.

And since we do not support the Single Logout service as an Identity Provider, we do not send the 'SessionIndex' attribute in any assertions that we send to any application/Service Provider. If the Service Provider/Application mandates the SessionIndex attribute in the assertion, then the authentication or the SSO to the application would fail.  
Solution
As of now as we do not support the Single Logout Service as an IdP, there is no work around available that could be implemented from the PCS side.
However we can look for options if we can configure the Application/Service Provider not to look for the attribute as a mandation, as the attribute is only to support Single Logout.
Related Links
Attachment 1 
Created BySumanto Chakraborty

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255