This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenID Connect front-channel logout


AM version: (appliance)

I am trying to configure IDP initiated front channel logout for OIDC/OAuth application. For that I have specified Front-Channel Logout URI and enabled Enable Session Token as described in Register client applications documentation.

As stated in documentation, expected result is that during user logout NAM redirects user to OIDC application logout URL and pass required information to identify user's session (iss and sid parameter like

After configuring everything logout works, and NAM during logout redirects user to URL specified in configuration and adds required parameters (both sid and iss), but problem is that there is no way to identify user based on sid parameter.

As stated in documentation, sid is of course not NAM session ID, but something else (quote: "is a co-relation ID that the client application uses to identify the unique user sessions established at Identity Server").

Looking at OpenID Connect Front-Channel Logout specs, section Relying Party Logout Functionality, sid and iss values should be matched to sid and iss values received in ID token, but Access Manager does not send sid parameter in ID token, hence OIDC application has no reference to know which session has actually been logged out.

Question: How to configure Access Manager to send sid parameter as part of ID token?

Kind regards,


Parents Reply Children
  • Hi Shane!

    Yes, we had some challenges identifying exact issue, since support in their tests always got sid parameter within ID token and I did not. Everything on AM side was the same, then we figured out that there are differences on client side (thanks to all MF persons involved for their help Blush).

    It looks like the problem happens only if there is no session cookie when authorization code is exchanged for token, for example when call to token endpoint is happening on the backend server, not in the browser.

    But if call to token endpoint happens in browser (browser sends session cookie with request), then sid parameter is part of ID token as it should be.

    Kind regards,