Tech Tip : CA Single Sign-On : Why doesn't the logoff button in CA PAM doesn't work when I protect CA PAM with SAML and CA Single Sign-On as IdP ?

Discussion created by Patrick-Dussault Employee on Apr 3, 2018



We're running CA PAM, when I protect the application with SAML, then
the SLO functionality doesn't work as expected. I don't get logged off
the application even if I have clicked on the logoff button.

My environment is integrated with CA Single Sign-On 12.7 as IdP.




After the logout, when the browser comes back to the IdP, it presents
a SMSESSION cookie. As this session is still valid, then the IdP side
doesn't request you any credentials, and IdP sends the SAML response
to the SP PAM side. That's why you get the impression that the Logout
functionality doesn't work with SAML.

But in order to make the logout button to remove the SP and the IdP
cookies, you need to open an Idea on the PAM product. You should
request PAM SAML Authentication functionality to implement the full
SAML SLO functionality.

KB : KB000071352