SSO Logout Issue - Security Constraints prevent access to page

manishm
Mega Guru

Hello everyone!

I am facing a "Security Constraints prevent access to requested page" issue when I try to log out from my instance. This was working fine in Geneva but creating issues when upgrading to Istanbul Patch 6. The environment has SSO configured. I checked the Installation Exits and it should just be a normal logout.

  processNormalLogout : function() {

      var s = request.getParameter('sysparm_goto_url');

      if (s && GlideSecurityUtils.isURLWhiteListed(s))

          response.sendRedirect(s);

      else

          response.sendRedirect("logout_success.do");

      return true;

  }

I am not sure what is sysparm_goto_url set to. This works fine in dev since dev does not have SSO. I am concerned that this will be an issue when we upgrade prod as well. Any pointers would be greatly appreciated.

1 ACCEPTED SOLUTION

manishm
Mega Guru

I fixed it by setting a URL in the iDPs SingleLogout Request service. Glide property for this is glide.authenticate.sso.saml2.idp_logout_url



Following is the text in SAML properties if you would like to set it there:


The base URL to the Identity Provider's SingleLogoutRequest service. The LogoRequest will be posted to this URL as the SAMLRequest parameter



When I went into the logs, I was seeing an information message that:


IdP's Logout URL is not set!


which prompted me to think maybe this was required. This was not a requirement in Geneva and is working fine there.



Works just fine now! Posted the solution so it could help someone else.


View solution in original post

1 REPLY 1

manishm
Mega Guru

I fixed it by setting a URL in the iDPs SingleLogout Request service. Glide property for this is glide.authenticate.sso.saml2.idp_logout_url



Following is the text in SAML properties if you would like to set it there:


The base URL to the Identity Provider's SingleLogoutRequest service. The LogoRequest will be posted to this URL as the SAMLRequest parameter



When I went into the logs, I was seeing an information message that:


IdP's Logout URL is not set!


which prompted me to think maybe this was required. This was not a requirement in Geneva and is working fine there.



Works just fine now! Posted the solution so it could help someone else.