Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

SAML Logout Issues: Multiple Login Entries and Optimistic Locking Exceptions

Written By

Madhusudan Sharma

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • When a user logs out after authenticating via SAML, multiple login entries might be recorded in the audit logs. This can lead to HibernateOptimisticLockingException errors, particularly during concurrent user sessions or frequent login/logout attempts.

Environment

  • Liferay DXP 7.4

Resolution

  • This issue often stems from misconfigurations or customizations related to the SAML integration, especially involving the com.liferay.saml.internal.servlet.filter.SpSsoSamlPortalFilter.

    Check for Blacklisting:

    If the SpSsoSamlPortalFilter is blacklisted (disabled) to prevent redirection to the Identity Provider (IdP) for native logins, it can disrupt the logout process for SAML users. Instead of blacklisting, use one of these approaches:

    1. Sign-In Widget: Add a dedicated "Sign-In" widget to the default home page for users who authenticate through the native login. This provides a direct login path without triggering the SAML redirection.
    2. Direct Login Link: Provide a direct link to the login portlet, bypassing the SAML filter. The URL structure would be similar to: http://your-liferay-instance/?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_state=maximized. Embed this link in a button, text, or other appropriate element on your login page.

    Review Customizations:

    Thoroughly review any custom code or configurations related to user authentication, login, or the SAML integration itself. If customizations are present, try temporarily disabling them to isolate the issue. Pay close attention to any modifications to the SpSsoSamlPortalFilter or related classes. If the issue resolves after disabling customizations, carefully examine the custom code for conflicts or incorrect handling of the SAML logout process.

    Verify SAML Configuration:

    Double-check the SAML configuration to ensure it's correctly set up according to the IdP's specifications. Incorrect settings can lead to incomplete logouts and subsequent errors.

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?