2 Replies Latest reply on Dec 1, 2014 7:30 AM by Krishna Shiva

    Problem with global logout

    Krishna Shiva Newbie


      I am using Salesforce as my IDP and Picketlink as my SP. I am using the following link as mentioned in the tutorials for global logout in my SP.


      Please find the scenario.

      1. Enter SP url in browser. It leads me to IDP login page. Enter credentials and get logged in.

      2. Navigates to the SP and gets successfully logged into the application.

      3. Click on logout link in SP. SP navigates me back to IDP application, where I am still in session. I can browse my Salesforce IDP.

      4. Logout Salesforce IDP. I will be logged out successfully.

      5. Enter the SP url again on the same browser. You will login to the SP even without entering credentials and you can browse the application without any interruption.

      6. Click on logout link again in SP. You will navigate to the Salesforce IDP saying that "You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary. ", which is correct.

      7. And I can login to the SP any number of times which I should not.


      Please help me to solve this issue. Let me know if you require any more information on this.




        • 1. Re: Problem with global logout
          Pedro Igor Master



          I think this is maybe be related with some issue when the IdP tries to process SP's LogoutRequest. I would recommend you to use SAMLTracer to check if the IdP is responding to the SP with a LogoutResponse. Only after a LogoutResponse (or LogoutRequest if multiple SPs are involved) the SP will invalidate the user session.



          1 of 1 people found this helpful
          • 2. Re: Problem with global logout
            Krishna Shiva Newbie



            After a thorough testing with the help of quickstarts, we debugged the logout flow in the code. There will be a SAML logout request to IDP by SP. In turn, the IDP returns a SAML logout response to SP. In my case, I was not receiving any response from IDP.

            We had to identify the proper logout url, which sent us the SAML logout response. Picketlink at SP side processed the logout response and invalidated the session.


            Pedro, thank you for the hint.


            Finally, we had implemented SSO successfully into our application and is working without any issues.