SAML partial single logout

Question & Answer

Question

What to check when a SLO operation completed with partial success?

Cause

One possible reason for a partial success logout could be related to the impossibility of getting the NameIDFormat from the session and as a consequence TFIM assumes that the default is used.

The default NameID (if not differently specified) is Persistent. This implies that the Alias Service is invoked to understand who the partner is.

However since the actual NameID used for the SSO is email, the alias db is empty and so the lookup fails and TFIM is unable to determine the target partner(s) to send the SLO request.

This will result in a partial logout message.

Answer

Verify that the mapping rule has the NameIDFormat email added to the stsuu during the SSO operation.

For example the following should be present:

<stsuuser:Principal>
<stsuuser:Attribute name="name" type="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
<stsuuser:Value>testuser
</stsuuser:Value>
</stsuuser:Attribute>
</stsuuser:Principal>

[{"Product":{"code":"SSZSXU","label":"Tivoli Federated Identity Manager"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"SSO","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.2.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

SAML partial single logout

Question & Answer

Question

Cause

Answer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?