CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 13th September 2016
Issue:
IdP-initiated Single Logout (SLO) is failing with following errors:
== AffWebserv.log ==
[12237/127507312][Thu Sep 08 2016 23:22:20][SLOService.java][ERROR][sm-FedClient-02180] "Error occurred during single logout. Message: Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81
== FWSTrace.log ==
[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogout][
TUNNEL STATUS:
status : 21
message : Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81]
[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogout][Output from Tunnel call:status=0&providerID=http://idp.com:81&isPOST=false&isSOAPEnabled=false;relayState=]
[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogoutFailure][Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81]
== PS trace ==
[09/08/2016][23:22:20.292][12673][4023925616][SingleLogoutTunnelServiceHandler.java][tunnelHandler][1235dbac-56b8da1a-dcb1a6b3-05a0f3a7-cd62cb45-6eb][Returning from SLO tunnel. Status: status=21&message=Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81]
[09/08/2016][23:22:20.292][12673][4023925616][SingleLogoutTunnelServiceHandler.java][tunnelHandler][1235dbac-56b8da1a-dcb1a6b3-05a0f3a7-cd62cb45-6eb][Returning from SLO tunnel. Response: status=0&providerID=http://idp.com:81&isPOST=false&isSOAPEnabled=false;relayState=null]
Environment:
Policy Server: R12.52 SP1 CR5
Webagent & WAOP: R12.52 SP1 CR5
Cause:
Tunnel status = 21 is indicative of unknown issuer.
SLO Service location URL specifies the URL of the single logout service at the remote partner where the single logout request is sent.
Hence, in this use case, customer (as IdP) should have the following as SLO Service URL:
http://<sp_host:port>/affwebservices/public/saml2slo
Instead, customer specified IdP host in the SLO Service URL, causing the unknown issuer error.
Resolution:
To resolve the error, update the SLO Service URL accordingly in the IdP->SP partnership >> 4. SSO and SLO >> SLO settings.