Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Can't Logout when Single Sign On is enabled

Not applicable
Hi,



I have been able to get the Workspace Single Sign On feature to work, but now users can't logout of Workspace. It looks like the logout link logs the user out and redirects to the login page, which sees the SSO HTTP headers and logs the user back in.



Does anyone know of a way to correct this behavior?



Thanks.
13 Replies
Not applicable
This behaviour is as designed. If Workspace is configured for SSO then a Workspace logout has no real purpose. You would need to logout of the SSO session.
Not applicable
Is there a way to remove the "Logout" link from the top menu when single sign on is enabled?
Not applicable
Unfortunately there is no clean way to detect for SSO. The only thing I can propose is if this is a pure SSO environment then you can remove the logout button in Workspace and recompile/deploy the app.
kc
Level 8
Level 8
I would like to know a litlle bit about how to setup the SSO for LC, is it possible to make it work with Windows domain logon?



Sincerely

Kim
chetanm_oct
Level 4
Level 4
Yes with LC ES Update 1 (or 8.2.1) its possible to have SSO with Windows domain logon.

The documents explaining that are currently avialable through prerelease site. If you are part of pre-release program you can access it under documentation at User Management > Enabling SSO in LiveCycle ES > Enabling SSO using SPNEGO



Let us know if you require more details on that.
kc
Level 8
Level 8
Hi again,



Thanks for the info - I have found the documentation that you mention, however I still need some help setting it up. I can not get a Kerberos connection set up correctly.



I have tried several times but get the same error each time:



HTTP Status 500 -



--------------------------------------------------------------------------------



type Exception report



message



description The server encountered an internal error () that prevented it from fulfilling this request.



exception



javax.servlet.ServletException: Error calling FormActionhandler: testKerberosSettings_onClick reason: null

org.apache.struts.action.RequestProcessor.processException(RequestProcessor.java:535)

org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:433)

org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)

org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)

org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)

javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

javax.servlet.http.HttpServlet.service(HttpServlet.java:810)

com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)

com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)

com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:129)

org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)



root cause



java.lang.Exception: Error calling FormActionhandler: testKerberosSettings_onClick reason: null

com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)

com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)

com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)

com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)

com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)

org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)

org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)

org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)

org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)

javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

javax.servlet.http.HttpServlet.service(HttpServlet.java:810)

com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)

com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)

com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:129)

org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)



I suspect that I have a problem with the setup of the SPN mapping for my Livecycle LDAP user, however I have run out of ideas for setting this up correctly.



Can you please help?



Thanks in advance



Sincerely

Kim
chetanm_oct
Level 4
Level 4
This issue was earlier reported and was fixed in one of the later builds (Post RC 2). Try with a more recent build and then you would not face this issue
kc
Level 8
Level 8
How can I get my hands on a newer build?



Can you give me a link or something?



Sincerely

Kim
Not applicable
The problem with not being able to logout of Workspace with SSO

enabled is the following:



1. establish SSO session as user A

2. access Workspace

3. terminate the SSO session

4. establish SSO session as a new user B

5. access Workspace agiain.



I now get logged into Workspace as the original user A, as Workspace

still thinks it has an active session with my browser. I guess the

SSO credentials are only checked at initial login, so the change

is not detected.



If I now logout of Workspace, it automatically logs me back in as

the correct user B.
chetanm_oct
Level 4
Level 4
Can you clarify few points



1. How do you establish the SSO session

2. How do you terminate the SSO session



Your observation is however correct



Workspace would check and create a session for you once you "create a sso session". After that it does not rely on the "sso session" and instead creates a LiveCycle SSO session. So even if you "terminate" your sso session workspace would not detect it. You would have to explicitly logout from workspace to terminate your LiveCycle session
Not applicable
Hi John,



The intended behavior of Workspace SSO is to not ever allow a user to be in a logged out state unless the context from the point of login expires or is logged out. The fact that we still show the "logout" link when SSO is in use is unfortunate and something we will consider remedying in a future release.



Thanks,

Matt MacKenzie

Engineering Manager, LiveCycle Process Management
Not applicable
Ok.



My bigger issue right now is the fact that I can terminate my SSO

session with the Reverse Proxy (IBM WebSeal) and create a new SSO

session as a different user, and when I access Workspace again it

thinks I'm still the original user!
Not applicable
John,



That is a problem! Could you please log this with support, and feel free to ask them to consult with me (mattm AT adobe DOT com) on the issue.



Thanks, and apologies for the trouble you're having.



Thanks,

Matt