locked
Strange persistence after logout RRS feed

  • Question

  • Hi all

    I have a situation in which we have SAP CRM application integrated with ADFS 3.0 using SAML 2.0.  Sign-on works well, but logout from the application is problematic.  From tracing we can see the SAML logout take place and the logout page loads correctly in the browser, but using a combination of back-arrow and refresh (F5) in the browser the user is able to re-gain access to the application without re-authenticating.  The CRM application is exposed to the Internet via the Web Application Proxy (WAP) and we need to ensure that the logout is clean, i.e. there is no way for someone on a public/kiosk machine to gain access to the application without authenticating.

    From tracing we can see the problem behaviour is that the browser contacts ADFS and picks up a new token, which is then used to gain access to the application.  In other words, this is not token replay.  It seems the ADFS session is persisting in some way.

    Any thoughts?


    Tony www.open-a-socket.com

    Wednesday, June 15, 2016 10:51 PM

Answers

All replies

  • Can you check your cookies, they should be expired, this is a problem with SAML 2.0 apps, in which if the SLO is not correctly defined it does not do a proper logout. SAML 2.0 session expects a SAML2.0 SLO for logout, the cookies should be expired after 1 sec, if I am not wrong this was an issue with Salesforce integration with ADFS as well. You can take look into this one as well

    https://technet.microsoft.com/en-us/library/mt148493(v=ws.11).aspx

    Thursday, June 16, 2016 3:38 PM
  • Thanks for the response.  In the end it came down to a bug in the CRM SAML module that meant it wasn't referencing the SLO endpoint correctly.  The SAP partner was able to provide a custom workaround.

    Tony www.open-a-socket.com

    Thursday, July 7, 2016 8:16 PM
  • Do you have any external reference you can give us? In case somebody has the same issue and wants to know some technical info.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, July 8, 2016 3:47 PM