appConfig.xml
file located at [JAS_HOME]\wlp\usr\server\jazzop\appConfig.xml
samlWebSso20
section and update the parameter forceAuthn to forceAuthn="false" and add parameter spLogout="true" <samlWebSso20 id="defaultSP" spCookieName="jazzop_sso_cookie_idp" forceAuthn="false" authFilterRef="samlAuthFilter" spLogout="true" > </samlWebSso20>
idpMetadata.xml
file contains HTTP-POST
binding for SingleLogoutService
. Currently Liberty only supports HTTP-POST
Binding and not HTTP-Redirect
Binding. <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mysaml.example.com/mysaml/slo" />
appConfig.xml
file located at [JAS_HOME]\wlp\usr\server\jazzop\appConfig.xml
samlWebSso20
section and change the spCookieName
parameter value from jazzop_sso_cookie_idp
to jazzop_sso_cookie_saml_idp
or to any name of your choice. <samlWebSso20 id="defaultSP" spCookieName="jazzop_sso_cookie_saml_idp" forceAuthn="false" authFilterRef="samlAuthFilter" spLogout="true" > </samlWebSso20>
/end_session
to the Authentication Filter requestUrl
<authFilter id="samlAuthFilter"> <requestUrl id="samlRequestUrl" urlPattern="/authorize|/end_session" matchType="contains" /> <userAgent id="samlUserAgent" agent="Mozilla|Opera" matchType="contains"/> </authFilter>
This workaround would work if you can directly access the OIDC Logout URL
https://preprod.example.com/ui/oidcclient/logout
jts, ccm, qm, rm, gc and dcc
perform the following: https://[ELM_URL]/[app]/admin#action=com.ibm.team.repository.admin.configureAdvanced
Web Logout URI
and update the value to the Logout URL received
Trusted URIs for client authorization and redirection
and update the value with the Logout URL received