SAML2 & SLO

former_member319648 · ‎04-10-2015

Hello,

We recently changed our authentication procedure for our SAP netweaver to authenticate user thanks to SAML2 + SAP ID provider.

So far so and all is working fine.

The minor issue we're facing is with the logout option.

When user is clicking on the [Log Off] button (top right corner of the webUi he logout from the system.

The problem is that if user re-open the browser and try to open the webui again then all behaves like if the user never log out.

I mean unless the user clear his broser cache of all cookies then IDP logon screen where he normaly has to provide credential is not dispalyed.

It behaves like if the [Log Off] is not deleting the cookies that was created when he initaly logged in.

Is our expectation wrong?

We would expect that [Log Off] would delete that cookie so user would not be automaticaly reauthenticated but would be redirected to the IDP logon screen.

If our expectation is correct then any idea why it's not behaving like this ?

please advise

thanks

former_member319648 · ‎05-05-2015

well... we resolved the issue by changing the default SLO endpoint type from POST to Redirect.

That is working fine in our dev landscape... but not in QA landscape.

This means that if I logoff from CRM webUi and reopen a browser I have to provide again my IDP credentials to login to CRM webUi since the logoff has destroyed the "remember me" cookie.

In QA, if I do the same workflow no way to get the IDP logon screen.

i'm automaticaly re authenticated, just like if the remember me cookie is still valid.

I used SEC_DIAG_TOOL to trace SAML logoff and in both dev and QA landscapes I'm getting similar traces (only target IDP URL is different since we have CRM dev <--> IDP test and CRM QA <--> IDP QA)

Using httpWatch I can see the GET to the IDP slo endpoint only in case of the dev landscape.

in case of CRM QA, httpWatch is not catching the GET IDP slo endpoint.

any idea ?

srinivas_maddineni7 · ‎04-12-2015

Hi Experts,

I have same exact problem. We have corporate google mail that uses SAML authentication and we have Windows ADFS server. I have configured Netweaver Gateway as SAML service provider and ADFS as IdP. The issue is When the user logs into his gmail account then try to launch my web application, browser is not showing logon page but NW Gateway is not accepting the logon request since SAML request was not requested by NW.

We have used logoff service from ADFS to logoff but no luck. Appreciate any pointers to solve this issue. We are using https to logon and NW, Web app are behind proxy. ADFS is not in the proxy.

MSo · ‎04-10-2015

Hi Fabien,

single logout is a combination of service provider and identity provider handshake.

As in your case the user may click on a logout button/link on the service provider side,

then an SLO request is send to the IdP

IdP informs all service providers for which the user was logged in

and terminates the session.

In order to be able to judge why it is not behaving as expected in your scenario it is required to know the concrete application (or service provider) as well as the identity provider.

You stated that you have SAP netweaver and SAP ID provider. Could you explain a bit more concrete which applications you are referring to?

SAP netweaver is an ABAP on-premise application?

SAP ID prvider is SAP Single sign-on (on-premise) or SAP Cloud Identity (Cloud service)?

Best regards,

Marko Sommer

SAML2 & SLO

Accepted Solutions (0)

Answers (3)

Answers (3)

Delete Class assignment Button Not Visible

Re: SAP Analytics Cloud for planning - Inverse For...

EML action - passing all fields of a selected row ...

Re: Unable to write select query in BW transformat...

Re: Write Widget names to a text box