000036523 - RSA Cloud Authentication Portal logout is looping in web browser

Document created by RSA Customer Support Employee on Jul 13, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036523
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router, Cloud
 
IssueAn end user can login normally to the Portal and can access applications normally.  However, when they try to logout of the Portal, the logout appears to "loop" and never completes.   
In the User Event Monitor of the RSA Cloud Administration Console, each end user Portal logout generates repeated events.  The first event recorded for the logout appears normal and has the correct User ID listed for the user.  However, many additional events are also generated with User ID N/A, Event Code 907, Description Portal logout succeeded. and Application Portal.
 
Portal logout succeeded
CauseThis issue will occur when the Portal Host Name is not within the configured Protected Domain Name.

Example


This issue will occur if the Portal Host Name is portal.example.com and the Protected Domain Name configured in the RSA Cloud Administration Console is dmz.example.com.  The issue will also occur if the Portal Host Name is identical to the Protected Domain Name.
ResolutionThe Portal Host Name must include the full Protected Domain Name that is configured in the RSA Cloud Administration Console at Company Settings > Company Information > Protected Domain Name. For the first example given in the Cause section above, the Portal Host Name should be portal.dmz.example.com

Protected Domain Name requirements are described in the Online Help's Protected Domain Name page. In particular, note the advice on that page to "avoid using registered domains as the protected domain name."

To fix this issue, there are two options, described below.  You can either:
  • Change the Portal Host Name to be within the the Protected Domain Name, or
  • Change the Protected Domain Name to match the Portal Host Name's domain

Change the Portal Host Name


If you choose to change the Portal Host Name to use the Protected Domain Name, you will need to do the tasks listed below.  These instructions use the example names from above :

  1. In your DNS, move the portal DNS records from the example.com domain to the dmz.example.com domain.
  2. If you are using a load balancer, its virtual IP (VIP) host name configuration may need to be changed.
  3. Get a new public certificate for subject *.dmz.example.com. Upload the new public certificate and private key in the Cloud Administration Console under My Account > Company Settings > Company Information. Also update the certificate chain if that has changed.
  4. In the RSA Cloud Administration Console, under Applications > My Applications, modify all URLs that reference the Portal Host Name to the new value in every Application. Instructions to edit your Applications are on the Online Help page Manage My Applications.
  5. In the RSA Cloud Administration Console, under Platform > Identity Routers > idrName > Edit > Basic Information, change the Portal Host Name to the new value in every RSA Identity Router (IDR).  Instructions to edit your IDRs are on the Online Help page Manage Identity Routers.
  6. Change any links in company web sites, and end user's bookmarks, to use the Portal Host Name; for example, https://portal.dmz.example.com
  7. We recommend reading the Identity Router DNS Requirements, so you can identify the other URLs in your RSA Cloud Authentication Service deployment and modify them as necessary in DNS and in the RSA Cloud Administration Console to use the Protected Domain Name
Guidelines for configuring these items are also in the Quick Setup Guides listed on the Cloud Authentication Service Planning and Configuration page.

Change the Protected Domain Name


If you wish to change the Protected Domain Name to match the Portal Host Name's domain, in our example that would mean changing the Protected Domain Name from dmz.example.com to example.com.  We recommend that you "avoid using registered domains as the protected domain name", for the reasons explained on the Protected Domain Name page.  However, it can be done.

To make this change:
  1. On the RSA Cloud Administration Console at Company Settings > Company Information, modify the Protected Domain Name.  For more information, see Configure Company Information and Certificates.
  2. We recommend reading Identity Router DNS Requirements, so you can identify the other URLs in your RSA Cloud Authentication Service deployment and modify them as necessary in DNS and in the RSA Cloud Administration Console, to use the Protected Domain Name.  Changes will likely be required to the internal domain names configured for:
    • Applications - this may also necessitate digital certificate changes and SAML configuration changes in the application itself
    • Identity Routers
  3. In your DNS, move records under the dmz.example.com domain, to the example.com domain.
  4. Change any links in company web sites, and end user's bookmarks, to use the new names, e.g. https://webapp.dmz.example.com

Guidelines for configuring these items are also in the Quick Setup Guides listed on the Cloud Authentication Service Planning and Configuration page.

NotesIf you have questions about the specific changes required in your deployment, please contact RSA Customer Support.

Attachments

    Outcomes