Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Upgrade from 1905 to 2011 SAML Logout 401 Unauthorized Issue

former_member795551
Discoverer

‎2022 Mar 08 7:37 PM - edited ‎2024 Feb 04 2:37 AM

0 Likes
1,021

While logging out of the account, the hybris logout is configured to redirect to IDP service for logout. But this is happening only after calling the logout URL twice. With first time returning 401 Unauthorized errror.

It is something like https://local-hybris:9002/logout is expected to redirecting to IDP's logout

https://idpsystemsdomain/..../B2C_1A_signup_signin_samlidp/samlp/sso/logout to logout the user from IDP which is not happening the first time its requested.

The first time user clicks on https://local-hybris:9002/logout , hybris is configured at StorefrontFilter to redirect to SAML with /samlsinglesignon/saml/logout which is expected to invoke IDP service at https://idpsystemsdomain/..../B2C_1A_signup_signin_samlidp/samlp/sso/logout from metadata file <SingleSignOut> location. But this is not working in 2011 upgrade. It was working in 1905 version.

Steps to reproduce error.

Attached the SAML tracer report with

1. the first time requesting /samlsinglesignon/saml/logout redirecting directly to SAML spring-security-config.xml configured successLogoutHandler url samlsinglesignon.logout.redirect.url=/bell/en/USD/login and returing 401 Unauthorized access.

2. But second time the SAML request to /samlsinglesignon/saml/logout invokes a POST request to IDP logout url https://idpsystemsdomain/..../B2C_1A_signup_signin_samlidp/samlp/sso/logout as highlighted in screenshot , logsout the user of IDP and then successHandler is invoked.


To note, Login is working correctly with SAML login /samlsinglesignon/saml/login invoking IDP login from metadata.xml file's <SingleSignOnService> location, where as logout is not the firsttime its requested.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member795551
Discoverer
‎2022 Apr 11 6:07 PM
0 Likes

The issue got resolved by reusing the 1905 verison's RedirectionController.class file in Samlsinglesignon

hybris\bin\modules\platform\samlsinglesignon\web\webroot\WEB-INF\classes\de\hybris\platform\samlsinglesignon\RedirectionController.class

This class file in 2011 had a finally block to remove SecurityContext's authentication. When this finally block is removed in 2011 the logout seems to be working correctly.

Below are the steps to replace this file with old .class file

1. Add the RedirectionController.class file to SSO custom extensions resource folder path

2. Edit the custom extensions buildcallbacks.xml to replace the file with older file as below

<?xml version="1.0" encoding="UTF-8"?> <macrodef name="ssoazureb2c_before_build"> <sequential> <if> <available file="${ext.samlsinglesignon.path}/web/webroot/WEB-INF/classes/de/hybris/platform/samlsinglesignon/RedirectionController.class" /> <then> <echo>Replacing the RedirectionController breaking in 2011 ##########</echo> <delete file="${ext.samlsinglesignon.path}/web/webroot/WEB-INF/classes/de/hybris/platform/samlsinglesignon/RedirectionController.class" /> <copy file="${ext.ssoazureb2c.path}/resources/ssoazureb2c/RedirectionController.class" tofile="${ext.samlsinglesignon.path}/web/webroot/WEB-INF/classes/de/hybris/platform/samlsinglesignon/RedirectionController.class" /> </then> </if> </sequential> </macrodef>

3. build with ant all and start the server.

Show replies
Show replies
Ask a Question