Question:
We're running CA PAM, when I protect the application with SAML, then
the SLO functionality doesn't work as expected. I don't get logged off
the application even if I have clicked on the logoff button.
My environment is integrated with CA Single Sign-On 12.7 as IdP.
Answer:
After the logout, when the browser comes back to the IdP, it presents
a SMSESSION cookie. As this session is still valid, then the IdP side
doesn't request you any credentials, and IdP sends the SAML response
to the SP PAM side. That's why you get the impression that the Logout
functionality doesn't work with SAML.
But in order to make the logout button to remove the SP and the IdP
cookies, you need to open an Idea on the PAM product. You should
request PAM SAML Authentication functionality to implement the full
SAML SLO functionality.
https://communities.ca.com/ideas/235738413-ca-pam-slo-configuration
KB : KB000071352