Solutions
Archived

Single Logout is not redirecting the user to the RelayState URL after logging out in OpenAM 11.0.0

Last updated Jan 5, 2021

The purpose of this article is to provide information if Single Logout (SLO) is failing to redirect the user to the RelayState URL after logging out in OpenAM 11.0.0.

1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

SLO fails to redirect the user to the RelayState URL after logging out and instead displays the default.jsp page (IdP or SP initiated single logout succeeded). This occurs in the following situations: 

  • IdP initiated SLO using SOAP binding
  • All SP initiated SLO using the Fedlet.  

Recent Changes

N/A

Causes

The RelayState URL is incorrectly validated and then ignored.

In some cases RelayState validation removes the metaAlias from the endpoint URL and RelayState cannot be validated, as it is not possible to determine the hosting entity.

Solution

This issue can be resolved by upgrading to OpenAM 11.0.1 or later; you can download this from BackStage.

See Also

OpenAM Administration Guide › Managing SAML 2.0 Federation › Using SAML 2.0 Single Sign-On & Single Logout

Related Training

N/A

Related Issue Tracker IDs

OPENAM-3202 (RelayState is validated as a URL)

OPENAM-3437 (RelayState validation fails during SLO)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.