IBM Support

Configuring the ADFS logout page

How To


Summary

Configuring the ADFS logout page

Steps

To successfully configure a log out URL in IBM Resilient when using ADFS as your SAML IdP you need to follow the following steps. Failing to add additional configuration in ADFS and enabling a -logouturl in Resilient will stop you from being able to successfully log into Resilient and the following error seen in the client.log.

java.lang.RuntimeException: javax.servlet.ServletException: org.opensaml.xml.validation.ValidationException: SAML session index not found

The aim of this exercise is to redirect Resilient users to the ADFS logout page where the SAML token will be removed from your browser.

Create an incoming claim rule

Without the name id rule, ADFS will not provide a session index. The session index identifies the user session. When a user logs out of Resilient, the session index is passed back to ADFS so that ADFS know which session to expire.

saml_logout1.jpg

saml_logout2.jpg

saml_logout3.jpg

Configure the logout page

saml_logout5.jpgsaml_logout6.jpgsaml_logout7.jpg

If you decide to populate the Response URL field your browser will be redirected else where, maybe a prettier logout page for example.

Now add the logout URL to the SAML configuration.

$ sudo resutil samledit -alias resilient -logouturl https://ad.cb.com/adfs/ls/?wa=wsignout1.0

$ sudo resutil samlshow
Organizations: Collaborationben (create users)
Alias: resilient
Service Provider Identifier: https://resilient.cb.com/saml2/resilient
Authentication URL: https://resilient.cb.com/saml2/resilient
Identity Provider Authentication URL: https://ad.cb.com/adfs/ls/
Identity Provider Logout URL: https://ad.cb.com/adfs/ls/?wa=wsignout1.0
Binding Type: Post
Identity provider metadata URL: null
Identity provider metadata minimum refresh delay: null
Identity provider metadata maximum refresh delay: null
Identity provider HTTP/S requests must be signed: false
The SAML metadata and service provider certificate have been written to resilient-metadata.xml and resilient-sp-cert.pem.

Restart Resilient

On clicking "logout" the URL is redirected to the ADFS logout page defined in the -logouturl value.

saml_logout4.jpg

You cannot access Resilient without going through the SAML authentication mechanism again.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
19 April 2021

UID

ibm11159864

Page Feedback