IBM Support

PH19348: WHEN USING MIXED MODE AUTHENTICATION/SSO CLICKING THE 'LOG OUT' BUTTON DOESN'T SIGN THE USER OUT OF NATIVE AUTHENTICATION

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Once the SSO is enabled and a SAML or Native user is logged into
    the OpenPages Application, clicking the LogOut button redirects
    to /openpages/sso.logout.do.
    
    But that does NOT terminate the OpenPages Session. This can be
    verified when you modify the URL to /openpages/home.do and you
    are not prompted to Login again.
    

Local fix

  • Deleting the cookies (specifically the LTPA2 cookie and the
    JSession cookie) will log the user out completely.
    Or completely closing out the browser
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * OpenPages Users                                              *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * WHEN USING MIXED MODE AUTHENTICATION/SSO CLICKING THE 'LOG   *
    * OUT' BUTTON DOESN'T SIGN THE USER OUT OF NATIVE              *
    * AUTHENTICATION                                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Customers should download OpenPages 8.2 from Passport        *
    * Advantage. See the following document for details on         *
    * obtaining OpenPages 8.2:                                     *
    * https://www.ibm.com/support/pages/downloading-ibm-openpages- *
    * watson-version-82-passport-advantage                         *
    ****************************************************************
    

Problem conclusion

  • Upon login to OpenPages through SSO, both cookies are given
    values.  When the user clicks "Log out" and is taken to
    sso.logout.do, OPJSESSIONID is given a new value, while
    OPLtpaToken2 is deleted.
    If the user clicks the Back button in their browser, they are
    taken back to OpenPages (as the IdP session was not terminated),
    but both OPJSESSIONID and OPLtpaToken2 are given new values (in
    the former's case, even different from when they first logged
    out).
    
    Customers should download OpenPages 8.2 from Passport Advantage.
    See the following document for details on obtaining OpenPages
    8.2:
    https://www.ibm.com/support/pages/downloading-ibm-openpages-wats
    on-version-82-passport-advantage
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH19348

  • Reported component name

    OPENPAGES GRC

  • Reported component ID

    5725D5100

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-11-18

  • Closed date

    2020-06-18

  • Last modified date

    2020-06-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    OPENPAGES GRC

  • Fixed component ID

    5725D5100

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFUEU","label":"IBM OpenPages with Watson"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
19 June 2020