First, I setup a very simple Reverse Proxy with SSL enabled.
Second I create an equally simply Proxy Service whereby it only has a single Protected Resource of "/*" that applies to everything.
The contract is set to a Secure Name/Password Form. No Auth, Identity Injection or Form Fill.
Then, I access the proxy service (https://www.mycompany.com) as a regular user and login. I can browse the site as expected.
1) As soon as I type "https://www.mycompany.com/AGLogout" -- the Novell branded logout page shows a missing/broken graphic at the top-left and top-right. EXPECTED: The graphics should have displayed correctly.
2) If I again do a get to "https://www.mycompany.com/AGLogout" I am sent to the IDP to login. EXPECTED: This is the special-to-NAM logout URL path. I should have remained on that proxy service and simply been redisplayed the logout URL. That is how the LAG has behaved in NAM 3.1 SP4 and in every previous release. Afterall, I can't login to a logout URL, so it doesn't make sense to send me to the IDP. The old LAG behavior of simkply redisplaying the logout page should be how the MAG reacts as well.
3) If I choose to continue and login at the IDP, my address bar is redirected to the logout link of the MAG, but with a login page vended again to the screen. All of this confusion could have been avoided by the MAG knowing to never redirect a GET of the special /AGLogout to the IDP for authentication.
Each of these three items need to be separately addressed.
- Stefan
Second I create an equally simply Proxy Service whereby it only has a single Protected Resource of "/*" that applies to everything.
The contract is set to a Secure Name/Password Form. No Auth, Identity Injection or Form Fill.
Then, I access the proxy service (https://www.mycompany.com) as a regular user and login. I can browse the site as expected.
1) As soon as I type "https://www.mycompany.com/AGLogout" -- the Novell branded logout page shows a missing/broken graphic at the top-left and top-right. EXPECTED: The graphics should have displayed correctly.
2) If I again do a get to "https://www.mycompany.com/AGLogout" I am sent to the IDP to login. EXPECTED: This is the special-to-NAM logout URL path. I should have remained on that proxy service and simply been redisplayed the logout URL. That is how the LAG has behaved in NAM 3.1 SP4 and in every previous release. Afterall, I can't login to a logout URL, so it doesn't make sense to send me to the IDP. The old LAG behavior of simkply redisplaying the logout page should be how the MAG reacts as well.
3) If I choose to continue and login at the IDP, my address bar is redirected to the logout link of the MAG, but with a login page vended again to the screen. All of this confusion could have been avoided by the MAG knowing to never redirect a GET of the special /AGLogout to the IDP for authentication.
Each of these three items need to be separately addressed.
- Stefan