Version Affected: 24.04
Description:
How to migrate from SLO VAM to Native SLO in 24.04
Cause:
As single logout is natively available in 24.04, SLO VAM is not tested on this IDP version and customers must migrate from VAM to the native feature.
Resolution:
- Decrypt and create a backup copy of the web.config file from the realm you want to migrate from SLO VAM to Native SLO.
- Copy the value of LogoutURL key and remove below keys from web.config
<add key="SingleLogout" value="True" />
<add key="MultiSessionEnabled" value="True" />
<add key="SingleSessionEnabled" value="False" />
<add key="SSTokenName" value="SSToken" />
<add key="MSTokenName" value="MSToken" />
<add key="LogoutMethod" value="2" />
<add key="CaptureLogoutURL" value="True" />
<add key="LogoutUrl" value="https://URL" />
<add key="LogoutTokenExpiration" value="True" />
<add key="LogoutTokenExpirationTime" value="5" />
<add key="SignLogoutMessage" value="False" />
- If realm is configured using Classic/Advanced settings, it needs to be migrated to new experience.
- Once realm is migrated to new experience, open application settings and edit connection settings
- Under SAML logout section, enter SAML Logout URL (copied in step 2), SAML Request Certificate and SAML Logout Binding for Single Logout option to appear. Use toggle switch to enable Single Logout and hit Update settings button.
- If Service provider is not signing SAML request, enter a dummy value in SAML Request Certificate textbox, enable single logout, remove the dummy value, and hit update settings.
- Make sure below key is set to True in the web.config file.
<add key="SingleLogoutEnabled" value="True" />
- In Service Provider settings, update Identity Provider Single Logout URL to: https://example.idp.com/SecureAuthXX/SAML20LogoutService.aspx
- If updating the above setting isn't feasible, create below URL rewrite rule in IIS on IDP:
- Below is how successful single logout will look like:
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.