7021387: NetIQ Access Manager NIDP server acting as WS-Fed IDP runs into Java exception on signout request

This document (7021387) is provided subject to the disclaimer at the end of this document.


Access Manager 4.2

Access Manager 4.3

Access Manager 4.4


  • NetIQ Access Manager NIDP server acting as WS-Fed IDP

  • The WS-FED signout request to




    will lead into a 500 internal server error (Java Exception) at the IDP server if no “wtrealm” parameter will be passed:

  • if the above request includes the wtrealm parameter the logout works without any problems.





The endpoint path for the logout request in case no realm (wtrealm) will be passed on for the logout is: “/nidp/wsfed/loreply”. Example for the above scenario: “sloUrl = https://idpa.kgast.nam.com:8443/nidp/wsfed/loreply”

In general the WS-Fed metadata can look like

WSFedDescriptorID = https://idpa.kgast.nam.com:8443/nidp/wsfed/sloUrl = https://idpa.kgast.nam.com:8443/nidp/wsfed/loreplyssoUrl = https://idpa.kgast.nam.com:8443/nidp/wsfed/ep


wrong endpoint “https://idpa.kgast.nam.com:8443/nidp/wsfed/ep” used for logout

Additional Information

Without passing the “wtrealm” parameter the IDP server in general not know for which Service Provider (SP) the session logout should be processed. In such a situation a global / complete logout should happen. The WS-Fed endpoint required for this scenario has been configured in the wrong way


This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.


Leave a Reply