AM version: 22.214.171.124-10 (appliance)
I am trying to configure IDP initiated front channel logout for OIDC/OAuth application. For that I have specified Front-Channel Logout URI and enabled Enable Session Token as described in Register client applications documentation.
As stated in documentation, expected result is that during user logout NAM redirects user to OIDC application logout URL and pass required information to identify user's session (iss and sid parameter like https://client.example.org/fc_logout?iss=https://idp.server.com&sid=LDtAIRsTGdW6Fyhdi)
After configuring everything logout works, and NAM during logout redirects user to URL specified in configuration and adds required parameters (both sid and iss), but problem is that there is no way to identify user based on sid parameter.
As stated in documentation, sid is of course not NAM session ID, but something else (quote: "is a co-relation ID that the client application uses to identify the unique user sessions established at Identity Server").
Looking at OpenID Connect Front-Channel Logout specs, section Relying Party Logout Functionality, sid and iss values should be matched to sid and iss values received in ID token, but Access Manager does not send sid parameter in ID token, hence OIDC application has no reference to know which session has actually been logged out.
Question: How to configure Access Manager to send sid parameter as part of ID token?