OIF SAML 2.0 Global SSO Logout Is Not Performed With SalesForce Peer Provider
Last updated on MARCH 08, 2017
Applies to:Oracle Identity Federation - Version 18.104.22.168 and later
Information in this document applies to any platform.
Oracle Identity Federation (OIF) does not perform SAMl 2.0 Global Single Logout (SLO) with SalesForce peer provider.
OIF 11g is configured with Oracle Access Manager (OAM) 11g as authentication engine.
OIF is configured as Identity Provider (IdP) with SalesForce as Service Provider (SP).
OIF Single Sign On (SSO) to Salesforce SP applications is successful.
However when Logout is initiated from the OAM application in the IdP domain the user is not logged out of the SalesForce SP domain. Access to the SalesForce application in the same browser session after OAM/OIF logout does not prompt for login.
Also when Logout is initiated from the SalesForce application in the SP domain the user is not logged out of OIF and OAM in the IdP domain. Access to an OAM-protected application in the same browser session does not prompt for OAM login.
Example Steps to reproduce
1. Access any OAM-protected application in the IdP domain e.g. Oracle Analytics and login.
2. Access a link that triggers OIF IdP-initiated SSO with the SalesForce SP i.e. http(s)://OIFHOST.DOMAIN:PORT/fed/idp/initiatesso?providerid=https://spapp.salesforce.com
3. Return to the Analytics application for more user activity.
4. Click Logout in Analytics.
5. Analytics calls OAM SSO logout.
6. OAM expires the OAM cookies and redirects to OIF logout at http(s)://OIFHOST.DOMAIN:PORT/fed/user/authnslooam11g
7. OIF expires the OIF session cookie and redirects back to the Analytics application
==> there is no SAML Logout request sent to the SalesForce SP by OID IdP.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms