PingFederate redirect URL after logout

Readers

Logout is a typical requirement in Single Sign-On world. In the interest of today's post, PingFederate can perform SAML single logout or individual adapter logout and I will talk about these topics in detail in separate post.

It is also a common requirement to be able to redirect user to login page post logout. Today, I will explain the PingFederate capabilities to redirect user to different url post SAML logout.

PingFederate SAML logout end-point is https://<>/startSLO.ping, and this URL will perform SAML single logout. 

TargetResource parameter should be appended to logout URL to redirect the user to login page or to land onto different page.

https://<>/idp/startSLO.ping?TargetResource=https://<> 

This TargetResource should be whitelisted as shown below. 

Add the new <> under Security -> Redirect Validation section by specifying the domain name as abc.domain.com and select TargetResource for SLO and Other checkbox. This setting should be added only when ENABLE TARGETRESOURCE VALIDATION check box is enabled for SLO AND OTHER OPTION.


Without whitelisting the redirect URL, you will see below error 

Tomcat "Cannot recover key" SSL error

Tomcat has been enabled with SSL port. While renewing the SSL certificate, Tomcat server is throwing below error.

java.io.IOException: Cannot recover key
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:507)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:218)
        at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:650)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:642)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:667)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

The error indicates that key can't be recovered using the password specified in server.xml. SSL section in server.xml is as shown below. If you have wallet pfx/p12 file, then you may convert it to java keystore using the same wallet password to use for java keystore password. 

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"  maxThreads="100" SSLEnabled="true" scheme="https" secure="true"            keystoreFile="/u01/app.jks" keystorePass="XXXXX"  clientAuth="false" SSLProtocol="TLS" sslEnabledProtocols="TLSv1.2" />

The keystorePass value is different from passphrase used while creating private key/cert. After recreating the java keystore with same password as key and updated server.xml with new password and Tomcat started working fine.