We have logout Request Object from the java and we don't have the cookie session index value but we have the session index coming from SAML2 assertion XML coming from wso2Is ,So by using the session Index and logout Request how can i post by using the ajax call or any rest-client.
Can any one provide me the URL of logout request how it will be?
Check out this blog post. It provides steps you should follow.
Basically you need to create the SAMLogoutRequest as below,
<saml2p:logoutrequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" id="flkjhgfehcfjkjjmabgkcmlcnalbcillibfeeeag" issueinstant="2013-06-28T11:51:06.024Z" notonorafter="2013-06-28T11:56:06.024Z" reason="urn:oasis:names:tc:SAML:2.0:logout:user" version="2.0">
<saml2:nameid xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">admin</saml2:nameid>
<saml2p:sessionindex>26C0530CBEA1DCF404C95B029D6A64AF</saml2p:sessionindex>
</saml2p:logoutrequest>
and send a POST to https://localhost:9443/samlsso (which is the saml sso logout endpoint by default)
You could use https://localhost:9443/samlsso?slo=true&spEntityID=travelocity.com&returnTo=https://localhost:8080/avs.com/slo Get reqeust for logout.
Related
I have to introduce SAML2 authentication in my Django Project.
My base app use CSRF Token that is provided by #ensure_csrf_cookie decorator in the main page.
For implementing SAML, I've added a new "login" button on main page (the one that set se csrf token cookie). The button send the SAML request to IDP. When I return from IDP to a landing page (a view in saml2 sub-app that reads the response) I got a 403 Forbidden error about CSRF Token.
I'm using OneLogin python Library (python3-saml). https://github.com/onelogin/python3-saml
The landing page is the one that ends with: ?acs
What I want to know is if its a problem of my landing page or the IDP Response has to be binded with csrf token in some way.
Thanks.
NOTE: I've also tryed to add IDP domain in CSRF_TRUSTED_ORIGINS setting
You will probably need to mark the SAML return view as #csrf_exempt as the IDP wouldn't know how to pass the Django-specific CSRF token.
I am using WSO2-IS 5.3.0. I have configured many service provider and SAML SSO is working as expected. But when it comes to Logout, One functionality is working fine. It means it redirects me to a common logout page after an invaliding session.
Here, I have one case, I have one service provider for it, I need to perform single logout but it should redirect to my custom login page. Though IS providing the option to configure return URL(SLO Response URL) you can see in the below screenshot. I have done that but still its redirects to the common logout page.
Do I need any other configuration too?
You are performing an IdP initiated SLO as per the given request URL. In that case, you can use the returnTo parameter in that request to redirect the response.
So set the SLO response URL to return to URL of the Enable IdP initiated SLO config. Sample request would be as follow.
https://localhost:9443/samlsso?slo=true&spEntityID=travelocity.com&returnTo=https://localhost:8080/avs.com/slo
But, you might have to define the SP specific parameters in the request.
Reference : http://daytodayjava.blogspot.com/2015/08/saml2-idp-initiated-single-logout-with.html
I can't find source for package org.wso2.carbon.identity.sso.saml.
In github repository wso2-attic/carbon-identity there are these classes, but there is note, that repository is no longer used for development and I find there 2 links:
https://github.com/wso2/identity-framework
https://github.com/wso2-extensions?utf8=%E2%9C%93&query=identity
But I didn't find there any classes from package org.wso2.carbon.identity.sso.saml.
I have some problems with SSO SLO from 2 applications:
I login to 2 applications: a and b.
Logout from one application works properly, but when I try to logout from second application, I get error
[4] [IS]ERROR {org.wso2.carbon.identity.sso.saml.processors.SPInitLogoutRequestProcessor} - ssoTokenId cookie not found in the logout request
and html:
SAML 2.0 based Single Sign-On
Error when processing the authentication request!
Please try login again.
SAML Logout response has link
https://test2-sso2.auth.test.vu.lt:9443/authenticationendpoint/samlsso_notification.do?status=Error+when+processing+the+authentication+request%21&statusMsg=Please+try+login+again.
and SAML response parameter:
<saml2p:LogoutResponse Destination="https://test2-wso2.auth.test.vu.lt:9443/samlsso"
ID="_9cb47e1d90276bcc53d4b110d3573b82"
InResponseTo="fgehcpnbagimhhcacbaanopameodckepmopaoaek"
IssueInstant="2017-08-31T11:09:43.403Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>test2-wso2</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
<saml2p:StatusMessage>Session was already Expired</saml2p:StatusMessage>
</saml2p:Status>
</saml2p:LogoutResponse>
So, I have 2 questions:
where I can find classes from package org.wso2.carbon.identity.sso.saml;
maybe somebody could help me with my problem with SSO SLO?
We are working with WSO2 IS v.5.3.0. One of these applications was travelocity.com and another is our application with architecture similar to travelocity.com. We are working in multi-tenant architecture. Both applications (Service Providers) are configured in the same tenant
I'm assuming you are looking for SPInitLogoutRequestProcessor. You can find it at [1]. For IS 5.3.0, the SAML component related development happens in the 5.3.x branch.
For your query on SLO; when you have the 2 applications configured for single logout and you logout from one application, the Identity Server is invalidating the user's authenticated session and sends back-channel SAML logout request to the other session participants (App 2 in this case). So the 2nd application should invalidate it's user session upon receiving the logout request from IS.
The error you are seeing should be due to IS not being able to find a valid authenticated session (as the session is already removed) for the logout request. [2] has a detailed explanation on how the single logout happens in IS.
One other approach you can take is to check whether there's an existing authenticated session in the IDP side before sending the logout request. You can use a passive SAML request to check the status of the session and if the session is already there then send the logout request.
Currently we are using WSO2 IS 5.1. In a single logout process, is it possible that can only the session that has requested, has been logout but other shared session still has remained?
I want to ask better, how we can display in my web application an option list from other SP issuers that their SP sessions has made during SSO login, and then we make to choose which the session that want to log out and can send logout request for selected SP and also want that only selected session has been log outed. exists any suggestion or example?
thanks a lot
First you need to know the flow of single logout in WSO2 Identity Server.
In one Service Provider(SP) send the logout request to Identity Provider(IDP). Then IDP determine the session participant. If session participant exist then send the logout request IDP to SP. After SP issue a logout response to the IDP. After that IDP send the logout response to original logout request. Now all session participant terminated.
You can found more details here.
It seems by default IS can't achieve your requirement.
Is it possible somehow to pass a return url to the Identity Server when performing a SAML SSO and have that url posted back to my assertion url when the user authenticates successfully?
The RelayState (described here) parameter that is sent to the IdP can be used to post the return URL to the IdP and have it back when the Authentication Response is send back from the IdP. Of course as this is an HTTP POST parameter, if you store a URL there it has to be propertly encoded/decoded.
However keep in mind that this might be used by an attacker to trick the use to open a trusted URL (this of the identity server) and redirect it to a malicious site. To prevent this the redirect URL should be validated.