Signed Sign-On Logout Response Is Not Signed If the Signed Logout Request Is Initiated by the IDP
(Doc ID 2366095.1)
Last updated on MAY 31, 2019
Applies to:Oracle BigMachines CPQ Cloud Service - Version 11.0 and later
Information in this document applies to any platform.
When the SSO requires a signed request, both the request and response of logging in and logging out should be signed.
This works when logging in through SITENAME.bigmachines.com/sso/saml_request.jsp and logging out by clicking on the "Log Out" button in CPQ Cloud sites. However, if this logout request is from the IDP, the CPQ Cloud session will end as logging out but the SAML response to the IDP is not signed.
User will need to log out again manually. This issue is caused due to the unsigned logout response from CPQ Cloud.
Steps to reproduce:
- Choose "Yes" for "Require Signed Request?", upload the certificate and fill out all the required fields for it when setting up SSO in Admin > Single Sign-On Settings. Fill out the rest of the fields to finish setting up.
- After SSO is setup and working correctly. Log in through SITENAME.bigmachines.com/sso/saml_request.jsp.
- Keep the CPQ Cloud site on one tab. Open a new tab and log in to IDP directly.
- Log out IDP.
- An error may show up depending on the IDP. Refresh the page of CPQ Cloud, the user is logged out. Refresh the page of IDP, user is not logged out from IDP. Check the SAML request and response for logging out from IDP, the request is correct, but the response is:
<?xml version="1.0" encoding="UTF-8"?>
The IDP can be logged out in Step 5 if the response is signed. The expected response is:
IssueInstant="2018-01-26T18:10:25Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
No change were made to the site. The SSO functionality in CPQ Cloud was not designed to return a signed response to a logout request initiated by IDP.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document