Showing results for 
Search instead for 
Did you mean: 

Upgrade from 1905 to 2011 SAML Logout 401 Unauthorized Issue

0 Kudos

While logging out of the account, the hybris logout is configured to redirect to IDP service for logout. But this is happening only after calling the logout URL twice. With first time returning 401 Unauthorized errror.

It is something like https://local-hybris:9002/logout is expected to redirecting to IDP's logout

https://idpsystemsdomain/..../B2C_1A_signup_signin_samlidp/samlp/sso/logout to logout the user from IDP which is not happening the first time its requested.

The first time user clicks on https://local-hybris:9002/logout , hybris is configured at StorefrontFilter to redirect to SAML with /samlsinglesignon/saml/logout which is expected to invoke IDP service at https://idpsystemsdomain/..../B2C_1A_signup_signin_samlidp/samlp/sso/logout from metadata file <SingleSignOut> location. But this is not working in 2011 upgrade. It was working in 1905 version.

Steps to reproduce error.

Attached the SAML tracer report with

1. the first time requesting /samlsinglesignon/saml/logout redirecting directly to SAML spring-security-config.xml configured successLogoutHandler url samlsinglesignon.logout.redirect.url=/bell/en/USD/login and returing 401 Unauthorized access.

2. But second time the SAML request to /samlsinglesignon/saml/logout invokes a POST request to IDP logout url https://idpsystemsdomain/..../B2C_1A_signup_signin_samlidp/samlp/sso/logout as highlighted in screenshot , logsout the user of IDP and then successHandler is invoked.

To note, Login is working correctly with SAML login /samlsinglesignon/saml/login invoking IDP login from metadata.xml file's <SingleSignOnService> location, where as logout is not the firsttime its requested.

Accepted Solutions (0)

Answers (1)

Answers (1)

0 Kudos

The issue got resolved by reusing the 1905 verison's RedirectionController.class file in Samlsinglesignon


This class file in 2011 had a finally block to remove SecurityContext's authentication. When this finally block is removed in 2011 the logout seems to be working correctly.

Below are the steps to replace this file with old .class file

1. Add the RedirectionController.class file to SSO custom extensions resource folder path

2. Edit the custom extensions buildcallbacks.xml to replace the file with older file as below

<?xml version="1.0" encoding="UTF-8"?> <macrodef name="ssoazureb2c_before_build"> <sequential> <if> <available file="${ext.samlsinglesignon.path}/web/webroot/WEB-INF/classes/de/hybris/platform/samlsinglesignon/RedirectionController.class" /> <then> <echo>Replacing the RedirectionController breaking in 2011 ##########</echo> <delete file="${ext.samlsinglesignon.path}/web/webroot/WEB-INF/classes/de/hybris/platform/samlsinglesignon/RedirectionController.class" /> <copy file="${ext.ssoazureb2c.path}/resources/ssoazureb2c/RedirectionController.class" tofile="${ext.samlsinglesignon.path}/web/webroot/WEB-INF/classes/de/hybris/platform/samlsinglesignon/RedirectionController.class" /> </then> </if> </sequential> </macrodef>

3. build with ant all and start the server.