13 Replies Latest reply on Jul 17, 2008 12:07 PM by (Matt_MacKenzie)

    Can't Logout when Single Sign On is enabled

    Level 1
      Hi,

      I have been able to get the Workspace Single Sign On feature to work, but now users can't logout of Workspace. It looks like the logout link logs the user out and redirects to the login page, which sees the SSO HTTP headers and logs the user back in.

      Does anyone know of a way to correct this behavior?

      Thanks.
        • 1. Re: Can't Logout when Single Sign On is enabled
          Level 1
          This behaviour is as designed. If Workspace is configured for SSO then a Workspace logout has no real purpose. You would need to logout of the SSO session.
          • 2. Re: Can't Logout when Single Sign On is enabled
            Level 1
            Is there a way to remove the "Logout" link from the top menu when single sign on is enabled?
            • 3. Re: Can't Logout when Single Sign On is enabled
              Level 1
              Unfortunately there is no clean way to detect for SSO. The only thing I can propose is if this is a pure SSO environment then you can remove the logout button in Workspace and recompile/deploy the app.
              • 4. Re: Can't Logout when Single Sign On is enabled
                kc@dafolo.dk Level 1
                I would like to know a litlle bit about how to setup the SSO for LC, is it possible to make it work with Windows domain logon?

                Sincerely
                Kim
                • 5. Re: Can't Logout when Single Sign On is enabled
                  chetanm_oct
                  Yes with LC ES Update 1 (or 8.2.1) its possible to have SSO with Windows domain logon.
                  The documents explaining that are currently avialable through prerelease site. If you are part of pre-release program you can access it under documentation at User Management > Enabling SSO in LiveCycle ES > Enabling SSO using SPNEGO

                  Let us know if you require more details on that.
                  • 6. Re: Can't Logout when Single Sign On is enabled
                    kc@dafolo.dk Level 1
                    Hi again,

                    Thanks for the info - I have found the documentation that you mention, however I still need some help setting it up. I can not get a Kerberos connection set up correctly.

                    I have tried several times but get the same error each time:

                    HTTP Status 500 -

                    --------------------------------------------------------------------------------

                    type Exception report

                    message

                    description The server encountered an internal error () that prevented it from fulfilling this request.

                    exception

                    javax.servlet.ServletException: Error calling FormActionhandler: testKerberosSettings_onClick reason: null
                    org.apache.struts.action.RequestProcessor.processException(RequestProcessor.java:535)
                    org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:433)
                    org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
                    org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
                    org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
                    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
                    javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
                    com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:1 73)
                    com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
                    com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:129)
                    org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)

                    root cause

                    java.lang.Exception: Error calling FormActionhandler: testKerberosSettings_onClick reason: null
                    com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)
                    com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)
                    com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
                    com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
                    com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
                    org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
                    org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
                    org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
                    org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
                    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
                    javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
                    com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:1 73)
                    com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
                    com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:129)
                    org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)

                    I suspect that I have a problem with the setup of the SPN mapping for my Livecycle LDAP user, however I have run out of ideas for setting this up correctly.

                    Can you please help?

                    Thanks in advance

                    Sincerely
                    Kim
                    • 7. Re: Can't Logout when Single Sign On is enabled
                      chetanm_oct Level 2
                      This issue was earlier reported and was fixed in one of the later builds (Post RC 2). Try with a more recent build and then you would not face this issue
                      • 8. Re: Can't Logout when Single Sign On is enabled
                        kc@dafolo.dk Level 1
                        How can I get my hands on a newer build?

                        Can you give me a link or something?

                        Sincerely
                        Kim
                        • 9. Re: Can't Logout when Single Sign On is enabled
                          Level 1
                          The problem with not being able to logout of Workspace with SSO
                          enabled is the following:

                          1. establish SSO session as user A
                          2. access Workspace
                          3. terminate the SSO session
                          4. establish SSO session as a new user B
                          5. access Workspace agiain.

                          I now get logged into Workspace as the original user A, as Workspace
                          still thinks it has an active session with my browser. I guess the
                          SSO credentials are only checked at initial login, so the change
                          is not detected.

                          If I now logout of Workspace, it automatically logs me back in as
                          the correct user B.
                          • 10. Re: Can't Logout when Single Sign On is enabled
                            chetanm_oct Level 2
                            Can you clarify few points

                            1. How do you establish the SSO session
                            2. How do you terminate the SSO session

                            Your observation is however correct

                            Workspace would check and create a session for you once you "create a sso session". After that it does not rely on the "sso session" and instead creates a LiveCycle SSO session. So even if you "terminate" your sso session workspace would not detect it. You would have to explicitly logout from workspace to terminate your LiveCycle session
                            • 11. Re: Can't Logout when Single Sign On is enabled
                              Hi John,

                              The intended behavior of Workspace SSO is to not ever allow a user to be in a logged out state unless the context from the point of login expires or is logged out. The fact that we still show the "logout" link when SSO is in use is unfortunate and something we will consider remedying in a future release.

                              Thanks,
                              Matt MacKenzie
                              Engineering Manager, LiveCycle Process Management
                              • 12. Re: Can't Logout when Single Sign On is enabled
                                Level 1
                                Ok.

                                My bigger issue right now is the fact that I can terminate my SSO
                                session with the Reverse Proxy (IBM WebSeal) and create a new SSO
                                session as a different user, and when I access Workspace again it
                                thinks I'm still the original user!
                                • 13. Re: Can't Logout when Single Sign On is enabled
                                  Level 1
                                  John,

                                  That is a problem! Could you please log this with support, and feel free to ask them to consult with me (mattm AT adobe DOT com) on the issue.

                                  Thanks, and apologies for the trouble you're having.

                                  Thanks,
                                  Matt