Liberty OP configured with SAML IdP, logout at OP is not propagated to the IdP

[shubjit]

Describe the bug

We have configured our ELM applications (RP) with Liberty OP which is further delegated to a SAML IDP.
https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-configuring-saml-web-browser-sso-in

In this case we have issues with Application logout which was solved by adding the attribute spLogout="true" in the samlWebSso20 configuration.

To achieve SSO between our applications configured with Liberty OP and other applications configured with the SAML IDP we have set the value forceAuthn="false" within the samlWebSso20 config.

When we set forceAuthn="false" the SSO between Liberty OP and Other applications connected to SAML IDP works, but then the Logout is not working.

Steps to Reproduce

• Configure LIberty as an OpenID Provider
• Configure the OP to delegate to a SAML IDP using the instructions below
  https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-configuring-saml-web-browser-sso-in
• Configure RP Applications which has a Logout functionality with Liberty OP
• Sample SAML Config on Liberty OP including forceAuthn and spLogout

<samlWebSso20 
		id="defaultSP"
		spCookieName="my_sso_cookie_idp"
		forceAuthn="false" 
		spLogout="true"
                authFilterRef="samlAuthFilter" >
    </samlWebSso20>

• Once configured test Logout from the RP application
• It redirects all the way to SAML IDP and behaves as a Login request and is returned back to the RP Application

Expected behavior
Logout should work with forceAuthn="false" parameter

Diagnostic information:

• OpenLiberty Version: 19.0.0.6 (Tested with 21.0.0.6)
• Java Version: [i.e. full output of java -version]

Additional context
Add any other context about the problem here.

[utle]

@teddyjtorres, please take a look.

[barbj]

@arunavemulapalli Can you look at this?

[arunavemulapalli]

There is a problem in the liberty side, and this is a missing function where we need to integrate our Liberty OIDC OP end_session with our saml SP initiated SLO (single logout) ( especially since we provide the capability to protect the OP authorize endpoint with saml )

RP Login > OP authorize > SAML SP login with IdP - (we can protect the OP ‘authorize’ request with saml and then redirect the request to IdP to complete the authentication - this flow works and customers/stack products/w3 id using this already)

However,
a. RP Logout > b. OP end_session > c. servlet request .logout > d. saml sp initiated logout > e. idp logout - this is not working as expected
It is not reaching c
I made a code change and with some additional configuration updates(protecting the end_session with saml and then also make the end_session as a secure endpoint etc…) , we tried this in Shubjit’s environment, and now I can see that the request.logout() call is made but the rest is not working yet..(where the saml tai logout if invoked , can drive the sp initiated logout etc…)

[arunavemulapalli]

I should have mentioned this - it does not matter what the forceAuthn setting is. SAML SP (or OP) is NOT initiating the SAML single logout (SLO) requests when RP is logging out.
the behavior difference you are seeing is due to how IdP handles the login requests in general (forceAuthn false vs true).

[arunavemulapalli]

sent a test fix to Shubjit and he verified it in his test environment

[arunavemulapalli]

We finally got the changes verified in the client's environment (they verified test fix built on liberty 20.0.0.6 level) and the fix is working. I will go ahead with the code delivery

[shubjit]

Thank you for the Fix @arunavemulapalli ,
We have tested the logout and it now works on the customer environment